Merge branch 'master' into Lovina-Saldanha-4490409

.openpublishing.redirection.json

@@ -15654,6 +15654,11 @@
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
       "redirect_document_id": true
+    },
+	{
+      "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md",
+      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md",

browsers/internet-explorer/kb-support/ie-edge-faqs.md

@@ -10,9 +10,7 @@ ms.prod: internet-explorer
 ms.technology:
 ms.topic: kb-support
 ms.custom: CI=111020
-ms.localizationpriority: Normal
-# localization_priority: medium
-# ms.translationtype: MT
+ms.localizationpriority: medium
 ms.date: 01/23/2020
 ---
 # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros

education/docfx.json

@@ -7,7 +7,8 @@
           "**/**.yml"
         ],
         "exclude": [
-          "**/obj/**"
+          "**/obj/**",
+          "**/includes/**"
         ]
       }
     ],
@@ -19,7 +20,8 @@
           "**/*.svg"
         ],
         "exclude": [
-          "**/obj/**"
+          "**/obj/**",
+          "**/includes/**"
         ]
       }
     ],

windows/client-management/mdm/change-history-for-mdm-documentation.md

@@ -21,6 +21,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article | Description|
 |--- | ---|
 | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:<br>- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
 
 ## October 2020
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 |New or updated article|Description|
 |-----|-----|
 | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:<br>- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
 | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:<br>- Settings/AllowWindowsDefenderApplicationGuard |
 
 ## What’s new in MDM for Windows 10, version 2004

windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md

@@ -50,17 +50,17 @@ ms.date: 10/08/2020
 - [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
 - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
-- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
-- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
-- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
-- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled)
-- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
-- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
+- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
+- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
+- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
+- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) <sup>9</sup>
+- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) <sup>9</sup>
+- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) <sup>9</sup>
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) <sup>9</sup>
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) <sup>9</sup>
 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
 - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
 - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
@@ -83,20 +83,22 @@ ms.date: 10/08/2020
 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) <sup>8</sup>
 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) <sup>8</sup>
 - [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) <sup>8</sup>
+- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) <sup>9</sup>
 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage)
-- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage)
+- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) <sup>9</sup>
+- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) <sup>9</sup>
 - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) <sup>9</sup>
 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
 - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
 - [System/AllowLocation](policy-csp-system.md#system-allowlocation)
 - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
 - [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
-- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
-- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
-- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
+- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) <sup>9</sup>
+- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) <sup>9</sup>
+- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) <sup>9</sup>
+- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) <sup>9</sup>
 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
 - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
 - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
@@ -122,6 +124,7 @@ Footnotes:
 - 6 - Available in Windows 10, version 1903.
 - 7 - Available in Windows 10, version 1909.
 - 8 - Available in Windows 10, version 2004.
+- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
 
 ## Related topics
 

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -371,7 +371,7 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 
-This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses.  To add multiple values, separate each FQDN or IP address by commas.
+This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses.  To add multiple values, separate each FQDN or IP address by commas.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -754,8 +754,7 @@ The following list shows the supported values:
 -   2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
 -   3 – HTTP blended with Internet peering.
 -   99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
--   100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
+-   100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
 <!--/SupportedValues-->
 <!--/Policy-->
 
@@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
 
 For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
 
-Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
 
 <!--/Description-->
 <!--ADMXMapped-->

windows/client-management/mdm/policy-csp-servicecontrolmanager.md

@@ -78,6 +78,9 @@ If you enable this policy setting, built-in system services hosted in svchost.ex
 
 This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.  
 
+> [!IMPORTANT]
+> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
+
 If you disable or do not configure this policy setting, the stricter security settings will not be applied.
 
 <!--/Description-->
@@ -122,4 +125,3 @@ Footnotes:
 - 8 - Available in Windows 10, version 2004.
 
 <!--/Policies-->
-

windows/client-management/mdm/policy-csp-userrights.md

@@ -75,6 +75,9 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
    
   If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (`<![CDATA[...]]>`) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
 
+> [!NOTE]
+> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services Logs<Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive.
+
 > [!NOTE]
 > `&#xF000;` is the entity encoding of 0xF000.
 
@@ -84,6 +87,18 @@ For example, the following syntax grants user rights to Authenticated Users and
 <![CDATA[Authenticated Users&#xF000;Replicator]]>
 ```
 
+For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2:
+
+```xml
+<![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>
+```
+
+For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group:
+
+```xml
+<![CDATA[*S-1-12-1-430441778-1204322964-3914475434-3271576427&#xF000;*S-1-12-1-2699785510-1240757380-4153857927-656075536]]>
+```
+
 <hr/>
 
 <!--Policies-->

windows/client-management/mdm/surfacehub-csp.md

@@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 <p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
 
 <a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**  
-<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
 
 <p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
 
@@ -333,7 +333,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 <tbody>
 <tr>
 <td>0</td>
-<td>Never timeout</td></tr>
+<td>Never time out</td></tr>
 <tr>
 <td>1</td>
 <td>1 minute</td>
@@ -385,7 +385,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 <tbody>
 <tr>
 <td>0</td>
-<td>Never timeout</td></tr>
+<td>Never time out</td></tr>
 <tr>
 <td>1</td>
 <td>1 minute (default)</td>
@@ -437,7 +437,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 <tbody>
 <tr>
 <td>0</td>
-<td>Never timeout</td></tr>
+<td>Never time out</td></tr>
 <tr>
 <td>1</td>
 <td>1 minute</td>
@@ -474,6 +474,16 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 
 <p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
 
+<a href="" id="properties-sleepmode"></a>**Properties/SleepMode**
+<p style="margin-left: 20px">Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
+
+<p style="margin-left: 20px">Valid values:
+
+-   0 - Connected Standby (default)
+-   1 - Hibernate
+
+<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
+
 <a href="" id="properties-allowsessionresume"></a>**Properties/AllowSessionResume**  
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. 
 

windows/client-management/mdm/vpnv2-csp.md

@@ -52,7 +52,7 @@ Supported operations include Get, Add, and Delete.
 Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
 
 <a href="" id="vpnv2-profilename-apptriggerlist-apptriggerrowid"></a>**VPNv2/**<em>ProfileName</em>**/AppTriggerList/**<em>appTriggerRowId</em>  
-A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
 
 Supported operations include Get, Add, Replace, and Delete.
 
@@ -132,7 +132,7 @@ Returns the namespace type. This value can be one of the following:
 Value type is chr. Supported operation is Get.
 
 <a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-dnsservers"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>**/DnsServers**  
-List of comma separated DNS Server IP addresses to use for the namespace.
+List of comma-separated DNS Server IP addresses to use for the namespace.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -202,7 +202,7 @@ Numeric value from 0-255 representing the IP protocol to allow. For example, TCP
 Value type is int. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-trafficfilterlist-trafficfilterid-localportranges"></a>**VPNv2/**<em>ProfileName</em>**/TrafficFilterList/**<em>trafficFilterId</em>**/LocalPortRanges**  
-A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
+A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
 
 > [!NOTE]
 > Ports are only valid when the protocol is set to TCP=6 or UDP=17.
@@ -210,7 +210,7 @@ A list of comma separated values specifying local port ranges to allow. For exam
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-trafficfilterlist-trafficfilterid-remoteportranges"></a>**VPNv2/**<em>ProfileName</em>**/TrafficFilterList/**<em>trafficFilterId</em>**/RemotePortRanges**  
-A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
+A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
 
 > [!NOTE]
 > Ports are only valid when the protocol is set to TCP=6 or UDP=17.
@@ -218,12 +218,12 @@ A list of comma separated values specifying remote port ranges to allow. For exa
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-trafficfilterlist-trafficfilterid-localaddressranges"></a>**VPNv2/**<em>ProfileName</em>**/TrafficFilterList/**<em>trafficFilterId</em>**/LocalAddressRanges**  
-A list of comma separated values specifying local IP address ranges to allow.
+A list of comma-separated values specifying local IP address ranges to allow.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-trafficfilterlist-trafficfilterid-remoteaddressranges"></a>**VPNv2/**<em>ProfileName</em>**/TrafficFilterList/**<em>trafficFilterId</em>**/RemoteAddressRanges**  
-A list of comma separated values specifying remote IP address ranges to allow.
+A list of comma-separated values specifying remote IP address ranges to allow.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -243,7 +243,7 @@ Added in Windows 10, version 2004. Specifies the traffic direction to apply this
 - Outbound - The rule applies to all outbound traffic
 - Inbound - The rule applies to all inbound traffic
 
-If no inbound filter is provided, then by default all unsolicated inbound traffic will be blocked.
+If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -327,7 +327,7 @@ Valid values:
 - True = Register the connection's addresses in DNS.
 
 <a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/**<em>ProfileName</em>**/DnsSuffix**  
-Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -345,7 +345,10 @@ Added in Windows 10, version 1607. The XML schema for provisioning all the fiel
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-proxy"></a>**VPNv2/**<em>ProfileName</em>**/Proxy**  
-A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected.
+
+> [!NOTE]
+> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used.
 
 <a href="" id="vpnv2-profilename-proxy-manual"></a>**VPNv2/**<em>ProfileName</em>**/Proxy/Manual**  
 Optional node containing the manual server settings.
@@ -436,7 +439,7 @@ Required for native profiles. Public or routable IP address or DNS name for the
 
 The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. 
 
-You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -1329,4 +1332,3 @@ Servers
 
 
 
-

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1659,7 +1659,7 @@ You can turn off **Enhanced Notifications** as follows:
 
   -or-
 
-- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**.
+- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
 
 
 ### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen

windows/security/identity-protection/access-control/active-directory-security-groups.md

@@ -3368,9 +3368,9 @@ This security group has not changed since Windows Server 2008.
 
 ### <a href="" id="bkmk-serveroperators"></a>Server Operators
 
-Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
+Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
 
-By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
+By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
 
 The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard
 
 2.  Click **System Summary**.
 
-3.  Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
+3.  Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
 
     Here's an example:
 

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -74,10 +74,12 @@ Two client-side configuration service providers are leveraged for VPN device com
    - Collects TPM data used to verify health states
    - Forwards the data to the Health Attestation Service (HAS)
    - Provisions the Health Attestation Certificate received from the HAS
-   - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+   - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
    
 > [!NOTE]
-> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. 
+> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
+> 
+> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
 
 ## Client connection flow
 

windows/security/identity-protection/vpn/vpn-connection-type.md

@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dulcemontemayor
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -61,11 +61,11 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 
-The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
 
 ![Available connection types](images/vpn-connection-intune.png)
      
-In Intune, you can also include custom XML for third-party plug-in profiles.
+In Intune, you can also include custom XML for third-party plug-in profiles:
 
 ![Custom XML](images/vpn-custom-xml-intune.png)
 

windows/security/identity-protection/vpn/vpn-guide.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 author: dulcemontemayor
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -20,12 +20,12 @@ ms.author: dansimp
 - Windows 10
 - Windows 10 Mobile
 
-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
 
-![Intune VPN policy template](images/vpn-intune-policy.png)
+To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10).
 
->[!NOTE]
->This guide does not explain server deployment.  
+> [!NOTE]
+> This guide does not explain server deployment.
 
 ## In this guide
 
@@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie
 
 ## Learn more
 
-- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
-
-
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
 

windows/security/identity-protection/vpn/vpn-profile-options.md

@@ -34,7 +34,6 @@ The following table lists the VPN settings and whether the setting can be config
 | Routing: forced-tunnel | yes |
 | Authentication (EAP) | yes, if connection type is built-in |
 | Conditional access | yes |
-| Proxy settings | yes, by PAC/WPAD file or server and port |
 | Name resolution: NRPT | yes |
 | Name resolution: DNS suffix | no |
 | Name resolution: persistent | no |
@@ -45,6 +44,10 @@ The following table lists the VPN settings and whether the setting can be config
 | LockDown | no |
 | Windows Information Protection (WIP) | yes |
 | Traffic filters | yes |
+| Proxy settings | yes, by PAC/WPAD file or server and port |
+
+> [!NOTE] 
+> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
 
 The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
 

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B
 The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
 
 > [!IMPORTANT]
-> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/).
+> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
 
 > [!NOTE]
 > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@@ -74,6 +74,8 @@ The hard disk must be partitioned with at least two drives:
 -   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
 -   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
 
+A fixed data volume or removable data volume cannot be marked as an active partition.
+
 When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
 
 When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
@@ -98,4 +100,3 @@ When installing the BitLocker optional component on a server you will also need
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
 
-

windows/security/threat-protection/TOC.md

@@ -161,7 +161,7 @@
 ###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
 ###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
    
-##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
+##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
    
 ##### [Antivirus compatibility]()
 ###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
@@ -179,29 +179,29 @@
 ##### [Deploy, manage updates, and report on antivirus]()
 ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
 ###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
+###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
    
 ###### [Report on antivirus protection]()
-####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
+###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
    
 ###### [Manage updates and apply baselines]()
-####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
    
 ##### [Customize, initiate, and review the results of scans and remediation]()
 ###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
    
 ###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
+###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
 ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
 ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
 ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
@@ -215,10 +215,10 @@
 ###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
    
 ###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
    
 ###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
 
@@ -230,7 +230,7 @@
 ###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
 ###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
    
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
 #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
 
 

windows/security/threat-protection/index.md

@@ -1,6 +1,6 @@
 ---
 title: Threat Protection (Windows 10)
-description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
+description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
 keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -17,12 +17,12 @@ ms.topic: conceptual
 ---
 
 # Threat Protection
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
 
 > [!TIP]
 > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). 
 
-<center><h2>Microsoft Defender ATP</center></h2>
+<center><h2>Microsoft Defender for Endpoint</center></h2>
 <table>
 <tr>
 <td><a href="#tvm"><center><img src="images/TVM_icon.png" alt="threat and vulnerability icon"> <br><b>Threat & vulnerability management</b></center></a></td>
@@ -37,7 +37,7 @@ ms.topic: conceptual
 <a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
 </tr>
 <tr>
-<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
+<td colspan="7"><a href="#mtp"><center><b>Microsoft 365 Defender</a></center></b></td>
 </tr>
 </table>
 <br>
@@ -73,7 +73,7 @@ The attack surface reduction set of capabilities provide the first line of defen
 <a name="ngp"></a>
 
 **[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**<br>
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
+To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
 
 - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
 - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
@@ -98,7 +98,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
 <a name="ai"></a>
 
 **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
-In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
 
 - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
 - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@@ -107,16 +107,16 @@ In addition to quickly responding to advanced attacks, Microsoft Defender ATP of
 <a name="mte"></a>
 
 **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
-Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
+Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
 
 - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
 - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
-- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md)
 
 <a name="apis"></a>
 
 **[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**<br>
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
+Integrate Microsoft Defender for Endpoint into your existing workflows.
 - [Onboarding](microsoft-defender-atp/onboard-configure.md)
 - [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
 - [Exposed APIs](microsoft-defender-atp/apis-intro.md)
@@ -125,14 +125,14 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
 
 <a name="integration"></a>
 **[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)** <br>
- Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
+ Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
 - Intune
-- Office 365 ATP
-- Azure ATP
-- Azure Security Center
+- Microsoft Defender for Office 365
+- Microsoft Defender for Identity
+- Azure Defender
 - Skype for Business
 - Microsoft Cloud App Security
 
 <a name="mtp"></a>
-**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
+**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
+ With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/18/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -37,15 +37,16 @@ The following broad categories of features can be configured:
 
 - Cloud-delivered protection
 - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
-- How end-users interact with the client on individual endpoints
+- How end users interact with the client on individual endpoints
 
-The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
+The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
 
-You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. 
+|Article  |Description  |
+|---------|---------|
+|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)     | Use cloud-delivered protection for advanced, fast, robust antivirus detection.        |
+|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)     |Enable behavior-based, heuristic, and real-time antivirus protection.         |
+|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
+
+> [!TIP]
+> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. 
 
-## In this section
-Topic | Description
-:---|:---
-[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
-[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
-[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings

windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 07/08/2020
+ms.date: 11/18/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -62,7 +62,7 @@ The table below lists the services and their associated URLs. Make sure that the
 | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` <br/>    `ussus1westprod.blob.core.windows.net` <br/>    `usseu1northprod.blob.core.windows.net` <br/>    `usseu1westprod.blob.core.windows.net` <br/>    `ussuk1southprod.blob.core.windows.net` <br/>    `ussuk1westprod.blob.core.windows.net` <br/>    `ussas1eastprod.blob.core.windows.net` <br/>    `ussas1southeastprod.blob.core.windows.net` <br/>    `ussau1eastprod.blob.core.windows.net` <br/>    `ussau1southeastprod.blob.core.windows.net` |
 | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `http://www.microsoft.com/pkiops/crl/` <br/> `http://www.microsoft.com/pkiops/certs` <br/>   `http://crl.microsoft.com/pki/crl/products` <br/> `http://www.microsoft.com/pki/certs` |
 | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows	| `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes	| This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   `vortex-win.data.microsoft.com` <br/>   `settings-win.data.microsoft.com`|
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes	| The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   `vortex-win.data.microsoft.com` <br/>   `settings-win.data.microsoft.com`|
 
 ## Validate connections between your network and the cloud
 
@@ -85,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun
 
 You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud.
 
-Download the file by visiting the following link:
-- https://aka.ms/ioavtest
+Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
 
 >[!NOTE]
 >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
@@ -105,11 +104,11 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
 
     ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
 
-3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware.
+3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
 
    > [!NOTE]
    > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).

windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md

@@ -26,15 +26,16 @@ manager: dansimp
 
 You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
 
-This topic describes how to configure exclusion lists for the following:
+This article describes how to configure exclusion lists. 
 
-<a id="examples"></a>
+## Examples of exclusions
+
+|Exclusion | Example |
+|---|---|
+|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by: <br/>`c:\sample\test.exe`<br/>`d:\internal\files\test.exe` |  
+|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:<br/>`c:\test\sample\test.exe`<br/>`c:\test\sample\test2.exe`<br/>`c:\test\sample\utility.exe` | 
+|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
 
-Exclusion | Example
----|---
-Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: <ul><li>c:\sample\test.exe</li><li>d:\internal\files\test.exe</li></ul>  
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:<ul><li>c:\test\sample\test.exe</li><li>c:\test\sample\test2.exe</li><li>c:\test\sample\utility.exe</li></ul> 
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
 
 When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
 
@@ -42,18 +43,16 @@ The exclusions only apply to [always-on real-time protection and monitoring](con
 
 Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
 
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
 
-You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
+You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
 
-By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
+By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
 
 You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
 
 ## Configure the list of exclusions for files opened by specified processes
 
-<a id="gp"></a>
-
 ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
 
 See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
@@ -74,14 +73,12 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
 
     1. Set the option to **Enabled**.
     2. Under the **Options** section, click **Show...**.
-    3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions.  Enter **0** in the **Value** column for all processes.
+    3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions.  Enter **0** in the **Value** column for all processes.
 
 5. Click **OK**.
 
 ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
 
-<a id="ps"></a>
-
 ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
 
 Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@@ -94,11 +91,11 @@ The format for the cmdlets is:
 
 The following are allowed as the \<cmdlet>:
 
-Configuration action | PowerShell cmdlet
----|---
-Create or overwrite the list | `Set-MpPreference`
-Add to the list | `Add-MpPreference`
-Remove items from the list | `Remove-MpPreference`
+|Configuration action | PowerShell cmdlet |
+|---|---|
+|Create or overwrite the list | `Set-MpPreference` |
+|Add to the list | `Add-MpPreference` |
+|Remove items from the list | `Remove-MpPreference` |
 
 >[!IMPORTANT]
 >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
@@ -109,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans
 Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
 ```
 
-See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true).
 
 ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
 
@@ -121,33 +118,24 @@ ExclusionProcess
 
 The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
 
-See the following for more information and allowed parameters:
-
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-<a id="man-tools"></a>
+For more information and allowed parameters, see  [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
 
 ### Use the Windows Security app to exclude files that have been opened by specified processes from scans
 
 See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions.
 
-<a id="wildcards"></a>
-
 ## Use wildcards in the process exclusion list
 
 The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
 
-In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
+In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.
 
 The following table describes how the wildcards can be used in the process exclusion list:
 
-Wildcard | Use | Example use | Example matches
----|---|---|---
-\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\\*</li></ul> | <ul><li>Any file opened by C:\MyData\file.exe</li></ul>
-? (question mark) | Not available | \- | \-
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
-
-<a id="review"></a>
+|Wildcard | Example use | Example matches |
+|:---|:---|:---|
+|`*` (asterisk) <br/><br/> Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
+|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
 
 ## Review the list of exclusions
 

windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md

@@ -10,8 +10,8 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 01/31/2020
-ms.reviewer: 
+ms.date: 11/18/2020
+ms.reviewer: jesquive
 manager: dansimp
 ---
 
@@ -28,7 +28,7 @@ In addition to standard on-premises or hardware configurations, you can also use
 
 See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
 
-For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
+For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection).
 
 With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
 
@@ -49,7 +49,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
 
 ## Set up a dedicated VDI file share
 
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
 
 ### Use Group Policy to enable the shared security intelligence feature:
 
@@ -63,7 +63,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat
 
 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
 
-6. Enter `\\<sharedlocation\>\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
+6. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
 
 7. Click **OK**.
 
@@ -81,7 +81,7 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec
 
 ## Download and unpackage the latest updates
 
-Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
+Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
 
 ```PowerShell
 $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
@@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
 ```
 
 You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. 
-We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact. 
+We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. 
 
 Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
 
@@ -106,23 +106,25 @@ Security intelligence packages are typically published once every three to four
 
 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
 
-2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**.
 
-3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
+3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
 
 4. You can choose to configure additional settings if you wish.
 
-5. Click **OK** to save the scheduled task.
+5. Select **OK** to save the scheduled task.
  
 You can initiate the update manually by right-clicking on the task and clicking **Run**.
 
 ### Download and unpackage manually
 
-If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
+If you would prefer to do everything manually, here's what to do to replicate the script’s behavior:
 
 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
 
-2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
+2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
+
+Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
 
    > [!NOTE]
    > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
@@ -138,74 +140,99 @@ If you would prefer to do everything manually, this what you would need to do to
 
 Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
 
-The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
+The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan.
 
 See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
 
 ## Use quick scans
 
-You can specify the type of scan that should be performed during a scheduled scan.
-Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
+You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
 
-1. Expand the tree to **Windows components > Windows Defender > Scan**.
+1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
 
-2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
+2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
 
-3. Click **OK**.
+3. Set the policy to **Enabled**, and then under **Options**, select  **Quick scan**.
+
+4. Select **OK**. 
+
+5. Deploy your Group Policy object as you usually do.
 
 ## Prevent notifications
 
-Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface.
+Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy.
 
-1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
 
-2. Double-click **Suppress all notifications** and set the option to **Enabled**.
+2. Select **Suppress all notifications** and then edit the policy settings. 
 
-3. Click **OK**.
+3. Set the policy to **Enabled**, and then select **OK**.
 
-This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+4. Deploy your Group Policy object as you usually do.
+
+Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+> [!TIP]
+> To open the Action Center on Windows 10, take one of the following steps:
+> - On the right end of the taskbar, select the Action Center icon.
+> - Press the Windows logo key button + A.
+> - On a touchscreen device, swipe in from the right edge of the screen.
 
 ## Disable scans after an update
 
-This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
 
 > [!IMPORTANT]
 > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
 
-1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
 
-2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
+2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
 
-3. Click **OK**.
+3. Set the policy to **Disabled**.
 
-This prevents a scan from running immediately after an update.
+4. Select **OK**.
+
+5. Deploy your Group Policy object as you usually do.
+
+This policy prevents a scan from running immediately after an update.
 
 ## Scan VMs that have been offline
 
-1. Expand the tree to **Windows components > Windows Defender > Scan**.
+1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
 
-2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+2. Select **Turn on catch-up quick scan** and then edit the policy setting.
 
-3. Click **OK**.
+3. Set the policy to **Enabled**.
 
-This forces a scan if the VM has missed two or more consecutive scheduled scans.
+4. Select **OK**.
+
+5. Deploy your Group Policy Object as you usually do.
+
+This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
 
 ## Enable headless UI mode
 
-1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
 
-2. Click **OK**.
+2. Select **Enable headless UI mode** and edit the policy.
 
-This hides the entire Microsoft Defender AV user interface from users.
+3. Set the policy to **Enabled**.
+
+4. Click **OK**.
+
+5. Deploy your Group Policy Object as you usually do.
+ 
+This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
 
 ## Exclusions
 
 Exclusions can be added, removed, or customized to suit your needs.
 
-For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
+For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
 
 ## Additional resources
 
-- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)
 - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
 - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)

windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
-title: Enable cloud-delivered protection in Microsoft Defender Antivirus
-description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
+title: Turn on cloud-delivered protection in Microsoft Defender Antivirus
+description: Turn on cloud-delivered protection to benefit from fast and advanced protection features.
 keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -9,16 +9,16 @@ ms.sitesec: library
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
 ---
 
-# Enable cloud-delivered protection
+# Turn on cloud-delivered protection
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - Microsoft Defender Antivirus
@@ -29,55 +29,60 @@ ms.custom: nextgen
 Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
-You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets.
+
+ You can also turn it on or off in individual clients with the Windows Security app.
 
 See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
 
-There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details.
+For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md).
 
 > [!NOTE]
-> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
 
-## Use Intune to enable cloud-delivered protection
+## Use Intune to turn on cloud-delivered protection
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All services > Intune**.
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. On the **Home** pane, select **Device configuration > Profiles**.
+3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.
 5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
-7. In the **Submit samples consent** dropdown, select one of the following:
-
-    - **Send safe samples automatically**
-    - **Send all samples automatically**
-
-        >[!NOTE]
-        > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-
-        > [!WARNING]
-        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-
-8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**.
 
 For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
 
-## Use Configuration Manager to enable cloud-delivered protection
+## Use Microsoft Endpoint Configuration  Manager to turn on cloud-delivered protection
 
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+    1. **High**: Applies a strong level of detection.
+    2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+    3. **Zero tolerance**: Blocks all unknown executables.
+6. Select **Review + save**, then choose **Save**.
 
-## Use Group Policy to enable cloud-delivered protection
+For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+## Use Group Policy to turn on cloud-delivered protection
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. In the **Group Policy Management Editor**, go to **Computer configuration**.
 
 3. Select **Administrative templates**.
 
 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
 
-5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
+5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
 
-6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
+6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
 
     1. **Send safe samples** (1)
     2. **Send all samples** (3)
@@ -88,18 +93,18 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
         > [!WARNING]
         > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
 
-7. Click **OK**.
+7. Select **OK**.
 
-## Use PowerShell cmdlets to enable cloud-delivered protection
+## Use PowerShell cmdlets to turn on cloud-delivered protection
 
-Use the following cmdlets to enable cloud-delivered protection:
+The following cmdlets can turn on cloud-delivered protection:
 
 ```PowerShell
 Set-MpPreference -MAPSReporting Advanced
 Set-MpPreference -SubmitSamplesConsent SendAllSamples
 ```
 
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
 
 >[!NOTE]
 > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
@@ -107,7 +112,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
 >[!WARNING]
 > Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
 
-## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
+## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
 
@@ -116,33 +121,31 @@ MAPSReporting
 SubmitSamplesConsent
 ```
 
-See the following for more information and allowed parameters:
+For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-## Enable cloud-delivered protection on individual clients with the Windows Security app
+## Turn on cloud-delivered protection on individual clients with the Windows Security app
 
 > [!NOTE]
 > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
 
     ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
 
 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
->[!NOTE]
->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
+> [!NOTE]
+> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
 
-## Related topics
+## Related articles
 
 - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
 - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
 - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
 - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
 - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
 - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md

@@ -1,6 +1,6 @@
 ---
 title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
-description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
+description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection.
 keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -10,29 +10,30 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 02/25/2020
+ms.date: 11/12/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
 ---
 
-# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+# Next-generation protection in Windows
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
+- Windows 10
+- Windows Server 2016
+- Windows Server 2019
 
 ## Microsoft Defender Antivirus: Your next-generation protection
 
-Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
+Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities:
 
-- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
-- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
-- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date.
+- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware.
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats.
+- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date.
 
 ## Try a demo!
 
@@ -43,7 +44,7 @@ Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microso
 
 ## Minimum system requirements
 
-Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
+Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources:
 
 - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
 - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)

windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md

@@ -14,7 +14,7 @@ audience: ITPro
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 10/14/2020
+ms.date: 11/12/2020
 ---
 
 # Protect security settings with tamper protection
@@ -29,7 +29,7 @@ ms.date: 10/14/2020
 
 ## Overview
 
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.
 
 With tamper protection, malicious apps are prevented from taking actions such as:
 
@@ -92,7 +92,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
 
 1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
 
-    - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
+    - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
     - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
     - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
     - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
@@ -132,7 +132,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
 > [!IMPORTANT]
 > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
 
-If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
+If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
 
 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
 
@@ -183,9 +183,9 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
 
 Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
 
-If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
+If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
 
-### Will tamper protection have any impact on third party antivirus registration?
+### Will tamper protection have any impact on third-party antivirus registration?
 
 No. Third-party antivirus offerings will continue to register with the Windows Security application.
 
@@ -210,7 +210,7 @@ Your regular group policy doesn’t apply to tamper protection, and changes to M
 > [!NOTE]
 > A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection.
 
-To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
+To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior using GPO and allow tamper protection to protect your Microsoft Defender Antivirus settings.
 
 Some sample Microsoft Defender Antivirus settings:
 
@@ -246,7 +246,7 @@ If a device is off-boarded from Microsoft Defender for Endpoint, tamper protecti
 
 Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
 
-In addition, your security operations team can use hunting queries, such as the following:
+In addition, your security operations team can use hunting queries, such as the following example:
 
 `DeviceAlertEvents | where Title == "Tamper Protection bypass"`
 

windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -20,49 +20,55 @@ manager: dansimp
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
 
-
 ## Quick scan versus full scan
 
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
 
-> [!IMPORTANT] 
-> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. 
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
 
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
 
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
 
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is  ideal if your organization is running on-demand scans.
 
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
+> [!NOTE]
+> By default, quick scans run on mounted removable devices, such as USB drives.
 
-## Use Configuration Manager to run a scan
+## Use Microsoft Endpoint Configuration Manager to run a scan
 
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
+4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox)
+
+> [!TIP]
+> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
 
 ## Use the mpcmdrun.exe command-line utility to run a scan
 
 Use the following `-scan` parameter:
 
-```DOS
+```console
 mpcmdrun.exe -scan -scantype 1
 ```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
 
 ## Use Microsoft Intune to run a scan
 
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
+3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
 
 ## Use the Windows Security app to run a scan
 
@@ -75,15 +81,14 @@ Use the following cmdlet:
 ```PowerShell
 Start-MpScan
 ```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
 
 ## Use Windows Management Instruction (WMI) to run a scan
 
-Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
 
+For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 ## Related articles
 

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md

@@ -27,7 +27,7 @@ ms.custom: asr
 
 ## Is attack surface reduction (ASR) part of Windows?
 
-ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
+ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
 
 ## Do I need to have an enterprise license to run ASR rules?
 
@@ -77,7 +77,7 @@ Keep the rule in audit mode for about 30 days to get a good baseline for how the
 
 ## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
 
-In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. 
+In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. 
 
 The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
 
@@ -127,7 +127,7 @@ Because many legitimate processes throughout a typical day will be calling on ls
 
 Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
 
-## Related topics
+## See also
 
 * [Attack surface reduction overview](attack-surface-reduction.md)
 * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md

@@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ
 |------|---------|--------|--------|   
 |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |  
 |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |  
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |  
+|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+|*.azure-automation.net |Port 443 |Outbound|Yes |  
 
 
 > [!NOTE]

windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md

@@ -128,6 +128,11 @@ Once completed, you should see onboarded Windows servers in the portal within an
 
 After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
 
+> [!NOTE]
+> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
+> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. 
+> - This is also required if the server is configured to use an OMS Gateway server as proxy.
+
 ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
 You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
  in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
@@ -249,12 +254,14 @@ To offboard the Windows server, you can use either of the following methods:
 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
 
     ```powershell
+    $ErrorActionPreference = "SilentlyContinue"
     # Load agent scripting object
     $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
     # Remove OMS Workspace
-    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+    $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
     # Reload the configuration and apply changes
     $AgentCfg.ReloadConfiguration()
+
     ```
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)

windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md

@@ -10,7 +10,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.reviewer: 
+ms.reviewer: ksarens
 manager: dansimp
 ---
 
@@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
     - If the app you want to configure is already listed, click it and then click **Edit**.
     - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+     - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+     - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
 
@@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 
-Enabled in **Program settings** | Enabled in **System settings** | Behavior
--|-|-
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
+|:---|:---|:---|
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
+|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
+|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
 
 ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
 
@@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
 3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
     - If the app you want to configure is already listed, click it and then click **Edit**.
     - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+     - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+     - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
@@ -209,41 +209,41 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
 
 This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
 
-Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
-- | - | - | -
-Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
-Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
-Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available
-Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
-Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
-Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
-Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
-Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
-Block remote images | App-level only |   BlockRemoteImages  | Audit not available
-Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
-Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
-Disable extension points | App-level only |   ExtensionPoint  | Audit not available
-Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
-Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available
-Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available
-Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available
-Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available
-Validate handle usage | App-level only |   StrictHandle  | Audit not available
-Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
-Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
+|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
+|:---|:---|:---|:---|
+|Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available |
+|Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available |
+|Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available |
+|Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
+|Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
+|Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
+|Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
+|Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
+|Block remote images | App-level only |   BlockRemoteImages  | Audit not available
+|Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
+|Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
+|Disable extension points | App-level only |   ExtensionPoint  | Audit not available
+|Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
+|Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
+|Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+||Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+|Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+|Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+|Validate handle usage | App-level only |   StrictHandle  | Audit not available |
+|Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available |
+|Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
-
+<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
 ## Customize the notification
 
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
-## Related topics
+## See also
 
 * [Evaluate exploit protection](evaluate-exploit-protection.md)
 * [Configure and audit exploit protection mitigations](customize-exploit-protection.md)

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -1,165 +0,0 @@
----
-title: Enable Microsoft Defender for Endpoint Insider Device
-description: Install and use Microsoft Defender for Endpoint (Mac).
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: 
-- m365-security-compliance 
-- m365initiative-defender-endpoint 
-ms.topic: conceptual
----
-
-# Enable Microsoft Defender for Endpoint Insider Device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
-
-> [!IMPORTANT]
-> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
-
-## Enable the Insider program with Jamf
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
-   ```XML
-       <?xml version="1.0" encoding="UTF-8"?>
-       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-       <plist version="1.0">
-       <dict>
-           <key>edr</key>
-           <dict>
-               <key>earlyPreview</key>
-               <true/>
-           </dict>
-       </dict>
-       </plist>
-   ```
-
-1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
-
-1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier.
-
-   > [!WARNING]
-   > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
-
-## Enable the Insider program with Intune
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
-    ```XML
-       <?xml version="1.0" encoding="utf-8"?>
-       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-       <plist version="1">
-           <dict>
-               <key>PayloadUUID</key>
-               <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-               <key>PayloadType</key>
-               <string>Configuration</string>
-               <key>PayloadOrganization</key>
-               <string>Microsoft</string>
-               <key>PayloadIdentifier</key>
-               <string>com.microsoft.wdav</string>
-               <key>PayloadDisplayName</key>
-               <string>Microsoft Defender ATP settings</string>
-               <key>PayloadDescription</key>
-               <string>Microsoft Defender ATP configuration settings</string>
-               <key>PayloadVersion</key>
-               <integer>1</integer>
-               <key>PayloadEnabled</key>
-               <true/>
-               <key>PayloadRemovalDisallowed</key>
-               <true/>
-               <key>PayloadScope</key>
-               <string>System</string>
-               <key>PayloadContent</key>
-               <array>
-                   <dict>
-                       <key>PayloadUUID</key>
-                       <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                       <key>PayloadType</key>
-                       <string>com.microsoft.wdav</string>
-                       <key>PayloadOrganization</key>
-                       <string>Microsoft</string>
-                       <key>PayloadIdentifier</key>
-                       <string>com.microsoft.wdav</string>
-                       <key>PayloadDisplayName</key>
-                       <string>Microsoft Defender ATP configuration settings</string>
-                       <key>PayloadDescription</key>
-                       <string/>
-                       <key>PayloadVersion</key>
-                       <integer>1</integer>
-                       <key>PayloadEnabled</key>
-                       <true/>
-                       <key>edr</key>
-                       <dict>
-                           <key>earlyPreview</key>
-                           <true/>
-                       </dict>
-                   </dict>
-               </array>
-           </dict>
-       </plist>
-   ```
-
-1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
-
-1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
-
-1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
-
-1. Enter `com.microsoft.wdav` as the custom configuration profile name.
-
-1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1.
-
-1. Select  **OK**.
-
-1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
-
-   > [!WARNING]
-   > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
-
-## Enable the Insider program manually on a single device
-
-In terminal, run:
-
-```bash
-    mdatp --edr --early-preview true
-```
-
-For versions earlier than 100.78.0, run:
-
-```bash
-    mdatp --edr --earlyPreview true
-```
-
-## Troubleshooting
-
-### Verify you are running the correct version
-
-To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-
-To verify you are running the correct version, run `mdatp --health` on the device.
-
-* The required version is 100.72.15 or later.
-* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
-* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
-* If you are not using Office for Mac, download and run the AutoUpdate tool.
-
-### A device still does not appear on Microsoft Defender Security Center
-
-After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
-
-* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
-
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -50,18 +50,30 @@ This page explains how to create an AAD application, get an access token to Micr
 
 ## Create an app
 
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.
 
 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. 
 
    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
 
-3. In the registration from, enter the following information then select **Register**.
+3. When the **Register an application** page appears, enter your application's registration information:
 
-   ![Image of Create application window](images/nativeapp-create2.png)
+   - **Name** - Enter a meaningful application name that will be displayed to users of the app.
+   - **Supported account types** - Select which accounts you would like your application to support.
 
-   - **Name:** -Your application name-
-   - **Application type:** Public client
+       | Supported account types | Description |
+       |-------------------------|-------------|
+       | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.<br><br>This option maps to Azure AD only single-tenant.<br><br>This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. |
+       | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.<br><br>This option maps to an Azure AD only multi-tenant.<br><br>If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. |
+       | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.<br><br>This option maps to Azure AD multi-tenant and personal Microsoft accounts.<br><br>If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. |
+
+   - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.
+       - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
+       - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`.
+
+     To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).
+
+     When finished, select **Register**.
 
 4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission:
 

windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md

@@ -97,8 +97,6 @@ Content-type: application/json
             "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
             "firstSeen": "2019-12-18T08:02:54Z",
             "lastSeen": "2020-01-06T08:01:48Z",
-            "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
-            "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
             "logonTypes": "Interactive",
             "logOnMachinesCount": 8,
             "isDomainAdmin": true,

windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md

@@ -24,26 +24,17 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+> [!NOTE]
+> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
 
+## Configure custom indicators
 
-## Configure custom indicators 
-Defender for Endpoint for iOS enables admins to configure custom indicators on
-iOS devices as well. Refer to [Manage
-indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-on how to configure custom indicators
+Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators.
+
+> [!NOTE]
+> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
 
 ## Web Protection
-By default, Defender for Endpoint for iOS includes and enables the web
-protection feature. [Web
-protection](web-protection-overview.md) helps
-to secure devices against web threats and protect users from phishing attacks.
 
->[!NOTE]
->Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. 
+By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
 

windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md

@@ -97,7 +97,9 @@ Then rerun step 2.
 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
 Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
 
-5. Ensure that the daemon has executable permission.
+5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. 
+
+6. Ensure that the daemon has executable permission.
     ```bash
     ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
     ```
@@ -110,7 +112,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
     ```
     and retry running step 2.
 
-6. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
+7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
 
 ## If mdatp service is running, but EICAR text file detection doesn't work
 

windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md

@@ -58,6 +58,9 @@ Wildcard | Description | Example | Matches | Does not match
 \* |	Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
 ? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
 
+>[!NOTE]
+>The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+
 ## How to configure the list of exclusions
 
 ### From the management console

windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md

@@ -24,7 +24,10 @@ ms.topic: conceptual
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 > [!IMPORTANT]
-> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
+> [!IMPORTANT]
+> With the agent version 101.13.75+, we released a change that removed conditions when Microsoft Defender for Endpoint was triggering the macOS Big Sur bug that manifests into a kernel panic. With that change Defender code path should no longer directly facilitate the kernel panic.
 
 ## 101.13.75
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md

@@ -24,38 +24,33 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-The public preview of Defender for Endpoint for iOS will offer protection
-against phishing and unsafe network connections from websites, emails, and apps.
-All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center. The portal gives security teams a centralized view of threats on
+**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
 iOS devices along with other platforms.
 
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+
 ## Pre-requisites
 
-
 **For End Users**
 
--   Defender for Endpoint license assigned to the end user(s) of the app. Refer
-    [Assign licenses to
-    users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
-    for instructions on how to assign licenses.
+- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
+
+- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
+    - Intune Company Portal app can be downloaded from [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+
+- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
+
 
 **For Administrators**
 
 -   Access to the Microsoft Defender Security Center portal
+ 
+    > [!NOTE]
+    > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune. 
 
 -   Access to [Microsoft Endpoint Manager admin
-    center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
-    to enrolled user groups in your organization
+    center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization
 
 **System Requirements**
 
@@ -64,6 +59,14 @@ iOS devices along with other platforms.
 -   Device is enrolled with Intune Company Portal
     [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
 
+> [!NOTE]
+> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+
+## Installation instructions
+
+Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
+For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
+
 ## Resources
 
 -   Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md

@@ -92,6 +92,10 @@ If you experience any installation failures, refer to [Troubleshooting installat
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
+- Audit framework (`auditd`) must be enabled.
+  >[!NOTE]
+  > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key.
+
 ### Network connections
 
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md

@@ -39,7 +39,7 @@ This topic describes how to install, configure, update, and use Defender for End
 > [!TIP]
 > If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**.
 
-To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. See [Enable Microsoft Defender for Endpoint Insider Device](endpoint-detection-response-mac-preview.md). 
+To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device.
 
 ## How to install Microsoft Defender for Endpoint for Mac
 
@@ -66,7 +66,10 @@ There are several methods and deployment tools that you can use to install and c
 The three most recent major releases of macOS are supported.
 
 > [!IMPORTANT]
-> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
+> [!IMPORTANT]
+> With the agent version 101.13.75+, we released a change that removed conditions when Microsoft Defender for Endpoint was triggering the macOS Big Sur bug that manifests into a kernel panic. With that change Defender code path should no longer directly facilitate the kernel panic.
 
 - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
 - Disk space: 1GB

windows/security/threat-protection/microsoft-defender-atp/non-windows.md

@@ -36,7 +36,7 @@ have committed to building security solutions not just *for* Microsoft, but also
 heterogenous environments. We're listening to customer feedback and partnering
 closely with our customers to build solutions that meet their needs.
 
-With Defender for Endpoint, customers benefit from a unified view of all
+With Microsoft Defender for Endpoint, customers benefit from a unified view of all
 threats and alerts in the Microsoft Defender Security Center, across Windows and
 non-Windows platforms, enabling them to get a full picture of what's happening
 in their environment, which empowers them to more quickly assess and respond to
@@ -44,7 +44,7 @@ threats.
 
 ## Microsoft Defender for Endpoint for Mac 
 
-Microsoft Defender for Endpoint for Mac offers AV and EDR capabilities for the three
+Microsoft Defender for Endpoint for Mac offers antivirus and endpoint detection and response (EDR) capabilities for the three
 latest released versions of macOS. Customers can deploy and manage the solution
 through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
 applications on macOS, Microsoft Auto Update is used to manage Microsoft
@@ -96,15 +96,15 @@ devices. Microsoft Defender for Endpoint is also available for purchase from a C
 Solution Provider (CSP).
 
 Customers can obtain Microsoft Defender for Endpoint for Mac through a standalone
-MDefender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
+Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
 Security.
 
-Recently announced capabilities of Microsoft Defender for Endpoint for Android and soon
-iOS are included in the above mentioned offers as part of the five qualified
+Recently announced capabilities of Microsoft Defender for Endpoint for Android and iOS 
+are included in the above mentioned offers as part of the five qualified
 devices for eligible licensed users.
 
- Defender for Endpoint for Linux is available through the Defender for Endpoint
-for Server SKU that is available for both commercial and education customers.
+Defender for Endpoint on Linux is available through the Defender for Endpoint
+Server SKU that is available for both commercial and education customers.
 
 Please contact your account team or CSP for pricing and additional eligibility
 requirements.

windows/security/threat-protection/microsoft-defender-atp/partner-applications.md

@@ -27,12 +27,13 @@ ms.topic: conceptual
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
-Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
 
 
 The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling security teams to effectively respond better to modern threats.
 
 Microsoft Defender for Endpoint seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
+
 - SIEM
 - Ticketing and IT service management solutions
 - Managed security service providers (MSSP)
@@ -48,10 +49,12 @@ Microsoft Defender for Endpoint seamlessly integrates with existing security sol
 Logo |Partner name   | Description 
 :---|:---|:---
 ![Image of AttackIQ logo](images/attackiq-logo.png)| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
-![Image of Azure Sentinel logo](images/sentinel-logo.png)| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel 
+
+![Image of Azure Sentinel logo](images/sentinel-logo.png)| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel 
 ![Image of Cymulate logo](images/cymulate-logo.png) | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions
 ![Image of Elastic security logo](images/elastic-security-logo.png) | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
-![Image of IBM QRadar logo](images/ibm-qradar-logo.png) | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint.
+![Image of IBM QRadar logo](images/ibm-qradar-logo.png) | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint 
+
 ![Image of Micro Focus ArcSight logo](images/arcsight-logo.png) | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Defender for Endpoint detections
 ![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png) | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Defender for Endpoint Alerts to RSA NetWitness leveraging Microsoft Graph Security API
 ![Image of SafeBreach logo](images/safebreach-logo.png) | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations

windows/security/threat-protection/microsoft-defender-atp/partner-integration.md

@@ -18,42 +18,42 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual 
 ---
 
-# Microsoft Defender ATP partner opportunities and scenarios
+# Microsoft Defender for Endpoint partner opportunities and scenarios
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:** 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
-Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP. 
+Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Defender for Endpoint. 
 
-The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. 
+The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Defender for Endpoint. 
 
 
 ## Scenario 1: External alert correlation and Automated investigation and remediation
-Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. 
+Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale. 
 
 Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
 
-Microsoft Defender ATP adds support for this scenario in the following forms:
+Defender for Endpoint adds support for this scenario in the following forms:
 
-- External alerts can be pushed into Microsoft Defender ATP and presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
+- External alerts can be pushed into Defender for Endpoint and presented side by side with additional device-based alerts from Defender for Endpoint. This view provides the full context of the alert - with the real process and the full story of attack.
 
-- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
+- Once an alert is generated, the signal is shared across all Defender for Endpoint protected endpoints in the enterprise. Defender for Endpoint takes immediate automated or operator-assisted response to address the alert.
 
 ## Scenario 2: Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
 
 ## Scenario 3: Indicators matching 
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Defender for Endpoint and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
 
 The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios.
 
-Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
+Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-started-partner-integration.md) to integrate your solution in Defender for Endpoint.
 
 ## Related topic
 - [Overview of management and APIs](management-apis.md)

windows/security/threat-protection/microsoft-defender-atp/portal-overview.md

@@ -23,9 +23,9 @@ ms.topic: conceptual
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
 
 Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
 
@@ -33,7 +33,7 @@ You can use [Microsoft Defender Security Center](https://securitycenter.windows.
 
 - View, sort, and triage alerts from your endpoints
 - Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender ATP settings, including time zone and review licensing information
+- Change Microsoft Defender for Endpoint settings, including time zone and review licensing information
 
 ## Microsoft Defender Security Center
 
@@ -42,7 +42,7 @@ When you open the portal, you'll see:
 - (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
 - (2) Search, Community center, Localization, Help and support, Feedback
 
- ![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png)
+ ![Microsoft Defender for Endpoint portal](images/mdatp-portal-overview.png)
 
 > [!NOTE]
 > Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
@@ -54,29 +54,29 @@ Area | Description
 **(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
 **Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
 **Incidents** | View alerts that have been aggregated as incidents.
-**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
+**Devices list** | Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
 **Alerts queue** | View alerts generated from devices in your organizations.
 **Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
 **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
 **Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
 **Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
 **Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
-**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
+**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
+**Service health** | Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues.
 **Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
 **Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
-**(2) Search, Community center, Localization,  Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. </br></br> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. </br></br>  **Localization** - Set time zones. </br></br>  **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.</br></br> **Feedback** - Provide comments about what you like or what we can do better.
+**(2) Search, Community center, Localization,  Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. </br></br> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. </br></br>  **Localization** - Set time zones. </br></br>  **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert.</br></br> **Feedback** - Provide comments about what you like or what we can do better.
 
 > [!NOTE]
 > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
 
-## Microsoft Defender ATP icons
+## Microsoft Defender for Endpoint icons
 
 The following table provides information on the icons used all throughout the portal:
 
 Icon | Description
 :---|:---
-![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender ATP logo
+![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender for Endpoint logo
 ![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks.
 ![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection.
 ![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection.

windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint]https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
 ## API description

windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md

@@ -23,9 +23,9 @@ ms.topic: article
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
 
 Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 

windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md

@@ -20,30 +20,30 @@ ms.collection:
 ms.topic: article 
 ---
 
-# Prepare Microsoft Defender ATP deployment
+# Prepare Microsoft Defender for Endpoint deployment
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
 
 
-Deploying Microsoft Defender ATP is a three-phase process:
+Deploying Defender for Endpoint is a three-phase process:
 
 <br>
 <table border="0" width="100%" align="center">
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;" bgcolor="#d5f5e3">
       <a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment"> 
-        <img src="images/prepare.png" alt="Plan to deploy Microsoft Defender ATP" title="Plan" />
+        <img src="images/prepare.png" alt="Plan to deploy Microsoft Defender for Endpoint" title="Plan" />
       <br/>Phase 1: Prepare </a><br>
     </td>
      <td align="center"  >
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
-        <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup the Microsoft Defender ATP service" />
+        <img src="images/setup.png" alt="Onboard to the Defender for Endpoint service" title="Setup the Defender for Endpoint service" />
       <br/>Phase 2: Set up </a><br>
         </td>
     <td align="center">
@@ -68,7 +68,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
 You are currently in the preparation phase.
 
 
-Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
+Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Defender for Endpoint.
 
 
 ## Stakeholders and approval
@@ -111,8 +111,7 @@ required in technologies or processes.
 
 ## Role-based access control
 
-Microsoft recommends using the concept of least privileges. Microsoft Defender
-ATP leverages built-in roles within Azure Active Directory. Microsoft recommends
+Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Azure Active Directory. Microsoft recommends
 [review the different roles that are
 available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
 and choose the right one to solve your needs for each persona for this
@@ -132,7 +131,7 @@ Management](https://docs.microsoft.com/azure/active-directory/active-directory-p
 to manage your roles to provide additional auditing, control, and access review
 for users with directory permissions.
 
-Microsoft Defender ATP supports two ways to manage permissions:
+Defender for Endpoint supports two ways to manage permissions:
 
 -   **Basic permissions management**: Set permissions to either full access or
     read-only. In the case of basic permissions management users with Global
@@ -144,7 +143,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
     groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
 
 Microsoft recommends leveraging RBAC to ensure that only users that have a
-business justification can access Microsoft Defender ATP.
+business justification can access Defender for Endpoint.
 
 You can find details on permission guidelines
 [here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
@@ -167,16 +166,16 @@ place. The bare minimum every organization should have been an antivirus solutio
 
 Historically, replacing any security solution used to be time intensive and difficult
 to achieve due to the tight hooks into the application layer and infrastructure
-dependencies. However, because Microsoft Defender ATP is built into the
+dependencies. However, because Defender for Endpoint is built into the
 operating system, replacing third-party solutions is now easy to achieve.
 
-Choose the component of Microsoft Defender ATP to be used and remove the ones
+Choose the component of Defender for Endpoint to be used and remove the ones
 that do not apply. The table below indicates the order Microsoft recommends for
 how the endpoint security suite should be enabled.
 
 | Component                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Adoption Order Rank |
 |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR)     | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
+| Endpoint Detection & Response (EDR)     | Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
 |Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: <br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities <br> - Invaluable device vulnerability context during incident investigations <br> -  Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager <br> [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
 | Next-generation protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: <br> -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.   <br> -  Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). <br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. <br> [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).                                                                                                                                                                                                                                                                                                                                                                       |3                   |
 | Attack Surface Reduction (ASR)          | Attack surface reduction capabilities in Microsoft Defender ATP help protect the devices and applications in the organization from new and emerging threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction)                                                                                                                                                                                                                                                                                                                                                                                       | 4                   |

windows/security/threat-protection/microsoft-defender-atp/preview-settings.md

@@ -16,15 +16,15 @@ audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
-# Turn on the preview experience in Microsoft Defender ATP
+# Turn on the preview experience in Microsoft Defender for Endpoint
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
 
 Turn on the preview experience setting to be among the first to try upcoming features.
 
@@ -36,8 +36,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 2. Toggle the setting between **On** and **Off** and select **Save preferences**.
 
 ## Related topics
-- [Update general settings in Microsoft Defender ATP](data-retention-settings.md)
-- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
-- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
+- [Update general settings in Microsoft Defender for Endpoint](data-retention-settings.md)
+- [Turn on advanced features in Microsoft Defender for Endpoint](advanced-features.md)
+- [Configure email notifications in Microsoft Defender for Endpoint](configure-email-notifications.md)
+- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
 

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -19,7 +19,7 @@ ms.collection:
 ms.topic: conceptual
 ---
 
-# Microsoft Defender ATP preview features
+# Microsoft Defender for Endpoint preview features
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
@@ -27,19 +27,19 @@ ms.topic: conceptual
 >The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
+The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
 
 > [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
 
-Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
 
 >[!TIP]
 >Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
 
-For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
+For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md).
 
 ## Turn on preview features
 
@@ -54,22 +54,22 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 
 The following features are included in the preview release:
-- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
+- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
 
-- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
+- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android.
 
-- [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
+- [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
 
 - [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
 
 - [Information protection](information-protection-in-windows-overview.md)<BR>
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
+Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
 
     >[!NOTE]
     >Partially available from Windows 10, version 1809.
 
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
+- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
 
 
 > [!TIP] 
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)  
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)  

windows/security/threat-protection/microsoft-defender-atp/production-deployment.md

@@ -20,28 +20,28 @@ ms.collection:
 ms.topic: article 
 ---
 
-# Set up Microsoft Defender ATP deployment
+# Set up Microsoft Defender for Endpoint deployment
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
-Deploying Microsoft Defender ATP is a three-phase process:
+Deploying Defender for Endpoint is a three-phase process:
 
 <br>
 <table border="0" width="100%" align="center">
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;" >
       <a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment"> 
-        <img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
+        <img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender for Endpoint" title="Prepare" />
       <br/>Phase 1: Prepare </a><br>
     </td>
      <td align="center"bgcolor="#d5f5e3">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
-        <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
+        <img src="images/setup.png" alt="Onboard to the Microsoft Defender for Endpoint service" title="Setup" />
       <br/>Phase 2: Set up </a><br>
     </td>
     <td align="center">
@@ -63,7 +63,7 @@ In this deployment scenario, you'll be guided through the steps on:
 
 
 >[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md).
 
 ## Check license state
 
@@ -94,11 +94,11 @@ To gain access into which licenses are provisioned to your company, and to check
 
 ## Tenant Configuration
 
-When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device.
+When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created. The easiest method is to perform these steps from a Windows 10 client device.
 
 1. From a web browser, navigate to <https://securitycenter.windows.com>.
 
-    ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
+    ![Image of Set up your permissions for Microsoft Defender for Endpoint](images/atp-setup-permissions-wdatp-portal.png)
 
 2. If going through a TRIAL license, go to the link (<https://signup.microsoft.com/Signup?OfferId=6033e4b5-c320-4008-a936-909c2825d83c&dl=WIN_DEF_ATP&pc=xxxxxxx-xxxxxx-xxx-x>)
 
@@ -128,11 +128,11 @@ When accessing Microsoft Defender Security Center for the first time, a wizard t
 If the organization does not require the endpoints to use a Proxy to access the
 Internet, skip this section.
 
-The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to
-report sensor data and communicate with the Microsoft Defender ATP service. The
-embedded Microsoft Defender ATP sensor runs in the system context using the
+The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to
+report sensor data and communicate with the Microsoft Defender for Endpoint service. The
+embedded Microsoft Defender for Endpoint sensor runs in the system context using the
 LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP)
-to enable communication with the Microsoft Defender ATP cloud service. The
+to enable communication with the Microsoft Defender for Endpoint cloud service. The
 WinHTTP configuration setting is independent of the Windows Internet (WinINet)
 internet browsing proxy settings and can only discover a proxy server by using
 the following discovery methods:
@@ -145,7 +145,7 @@ the following discovery methods:
 
 If a Transparent proxy or WPAD has been implemented in the network topology,
 there is no need for special configuration settings. For more information on
-Microsoft Defender ATP URL exclusions in the proxy, see the
+Microsoft Defender for Endpoint URL exclusions in the proxy, see the
 Appendix section in this document for the URLs allow list or on
 [Microsoft
 Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
@@ -163,8 +163,8 @@ Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defe
 
 ### Configure the proxy server manually using a registry-based static proxy
 
-Configure a registry-based static proxy to allow only Microsoft Defender ATP
-sensor to report diagnostic data and communicate with Microsoft Defender ATP
+Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint
+sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint
 services if a computer is not permitted to connect to the Internet. The static
 proxy is configurable through Group Policy (GP). The group policy can be found
 under:
@@ -236,20 +236,20 @@ URLs that include v20 in them are only needed if you have Windows 10, version
 needed if the device is on Windows 10, version 1803 or later.
  
 
-If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
 
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
 
 |**Spreadsheet of domains list**|**Description**|
 |:-----|:-----|
-|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/>  | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) 
+|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/>  | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) 
 
 
-###  Microsoft Defender ATP service backend IP range
+###  Microsoft Defender for Endpoint service backend IP range
 
 If you network devices don't support the URLs listed in the prior section, you can use the following information.
 
-Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
+Defender for Endpoint is built on Azure cloud, deployed in the following regions:
 
 - \+\<Region Name="uswestcentral">
 - \+\<Region Name="useast2">
@@ -267,4 +267,4 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
 ## Next step
 |||
 |:-------|:-----|
-|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them.
+|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.

windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md

@@ -17,24 +17,24 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Pull Microsoft Defender ATP detections using SIEM REST API
+# Pull Microsoft Defender for Endpoint detections using SIEM REST API
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) 
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) 
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
+>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
+>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
+>-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
+Microsoft Defender for Endpoint supports the OAuth 2.0 protocol to pull detections from the API.
 
 In general, the OAuth 2.0 protocol supports four types of flows:
 - Authorization grant flow
@@ -44,19 +44,19 @@ In general, the OAuth 2.0 protocol supports four types of flows:
 
 For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
 
-Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
+Microsoft Defender for Endpoint supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
 
 The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
 
-The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
+The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender for Endpoint endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
 
-Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
+Use the following method in the Microsoft Defender for Endpoint API to pull detections in JSON format.
 
 >[!NOTE]
 >Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. 
 
 ## Before you begin
-- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
+- Before calling the Microsoft Defender for Endpoint endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md).
 
 - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
   - Application ID (unique to your application)
@@ -67,7 +67,7 @@ Use the following method in the Microsoft Defender ATP API to pull detections in
 ## Get an access token
 Before creating calls to the endpoint, you'll need to get an access token.
 
-You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
+You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint.
 
 To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
 
@@ -92,10 +92,10 @@ The response will include an access token and expiry information.
   "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
 }
 ```
-You can now use the value in the *access_token* field in a request to the Microsoft Defender ATP API.
+You can now use the value in the *access_token* field in a request to the Defender for Endpoint API.
 
 ## Request
-With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append the access token to the Authorization header of each request.
+With an access token, your app can make authenticated requests to the Microsoft Defender for Endpoint API. Your app must append the access token to the Authorization header of each request.
 
 ### Request syntax
 Method | Request URI
@@ -200,7 +200,7 @@ Here is an example return value:
 
 ## Code examples
 ### Get access token
-The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API.
+The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender for Endpoint SIEM API.
 
 ```csharp
 AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId));
@@ -250,7 +250,7 @@ echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM
 ```
 
 ### Use token to connect to the detections endpoint
-The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts.
+The following code examples demonstrate how to use an access token for calling the Defender for Endpoint SIEM API to get alerts.
 
 ```csharp
 HttpClient httpClient = new HttpClient();
@@ -318,7 +318,7 @@ echo $apiResponse
 ```
 
 ## Error codes
-The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request.
+The Microsoft Defender for Endpoint REST API returns the following error codes caused by an invalid request.
 
 HTTP error code | Description
 :---|:---
@@ -327,8 +327,8 @@ HTTP error code | Description
 500 | Error in the service.
 
 ## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
+- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)
+- [Configure Splunk to pull Microsoft Defender for Endpoint detections](configure-splunk.md)
+- [Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md

@@ -17,16 +17,16 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
+# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
+Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
 
 ## Before you begin:
 
@@ -65,7 +65,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 
 - Each event hub message in Azure Event Hubs contains list of records.
 - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
-- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
 - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
@@ -88,6 +88,6 @@ To get the data types for event properties do the following:
 
 ## Related topics
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)
-- [Microsoft Defender ATP streaming API](raw-data-export.md)
-- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
+- [Microsoft Defender for Endpoint streaming API](raw-data-export.md)
+- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
 - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md

@@ -17,16 +17,16 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
+# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
+Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
 
 ## Before you begin:
 
@@ -36,7 +36,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 
 ## Enable raw data streaming:
 
-1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user.
+1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user.
 2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
 3. Click on **Add data export settings**.
 4. Choose a name for your new settings.
@@ -65,8 +65,8 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 ```
 
 - Each blob contains multiple rows.
-- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
-- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
 - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
@@ -89,6 +89,6 @@ In order to get the data types for our events properties do the following:
 
 ## Related topics
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)
-- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
-- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
+- [Microsoft Defender for Endpoint Streaming API](raw-data-export.md)
+- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
 - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)

windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md

@@ -24,13 +24,13 @@ ms.topic: article
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
 
 ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
 
-Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
+Defender for Endpoint supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
 
@@ -39,8 +39,8 @@ Microsoft Defender ATP supports streaming all the events available through [Adva
 
 Topic | Description
 :---|:---
-[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
-[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
+[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
+[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
 
 
 ## Related topics

windows/security/threat-protection/microsoft-defender-atp/rbac.md

@@ -24,9 +24,9 @@ ms.topic: article
 **Applies to:**
 - Azure Active Directory
 - Office 365
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink)
 
 
 Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the  portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do. 
@@ -41,10 +41,10 @@ Tier 1 | **Local security operations team / IT team** <br> This team usually tri
 Tier 2 | **Regional security operations team** <br> This team can see all the devices for their region and perform remediation actions.
 Tier 3 | **Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal.
 
-Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
+Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
 
 - **Control who can take specific action**
-  - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity.
+  - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
  
 - **Control who can see information on specific device group or groups**
   - [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific  Azure Active Directory (Azure AD) user group.
@@ -61,18 +61,18 @@ Before using RBAC, it's important that you understand the roles that can grant p
 
 When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. 
 
-Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments
+Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments
 
 > [!WARNING]
 > Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
 >
 > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** 
 >
->Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Microsoft Defender ATP global administrator role. 
+>Users with admin permissions are automatically assigned the default built-in Defender for Endpoint global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Defender for Endpoint global administrator role. 
 >
 > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. 
 
 
 
 ## Related topic
-- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
+- [Create and manage device groups in Microsoft Defender for Endpoint](machine-groups.md)

windows/security/threat-protection/microsoft-defender-atp/recommendation.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 

windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md

@@ -24,11 +24,11 @@ ms.topic: article
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
  
 [!include[Prerelease information](../../includes/prerelease.md)]
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
 
@@ -131,7 +131,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
 > [!NOTE]
 > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
 > 
-> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days.
+> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
 
 ## Add indicator to block or allow a file
 
@@ -177,7 +177,7 @@ When you select this action, a fly-out will appear. From the fly-out, you can re
 
 ![Image of download file fly-out](images/atp-download-file-reason.png)
 
-If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
+If a file is not already stored by Defender for Endpoint, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
 
 ## Consult a threat expert
 
@@ -216,7 +216,7 @@ Use the deep analysis feature to investigate the details of any file, usually du
 
 >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] 
 
-**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
+**Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
 
 > [!NOTE]
 > Only files from Windows 10 can be automatically collected.
@@ -224,9 +224,9 @@ Use the deep analysis feature to investigate the details of any file, usually du
 You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
 
 > [!NOTE]
-> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
+> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
 
-When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
+When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
 
 **Submit files for deep analysis:**
 
@@ -249,7 +249,7 @@ A progress bar is displayed and provides information on the different stages of
 
 **View deep analysis reports**
 
-View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
 
 You can view the comprehensive report that provides details on the following sections:
 

windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md

@@ -23,9 +23,9 @@ ms.topic: article
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) 
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) 
 
 Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center.
 
@@ -128,7 +128,7 @@ One you have selected **Run antivirus scan**, select the scan type that you'd li
 The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.
 
 >[!NOTE]
->When triggering a scan using Microsoft Defender ATP response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.<br> 
+>When triggering a scan using Defender for Endpoint response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.<br> 
 >If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.<br>
 >For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
 
@@ -163,7 +163,7 @@ Depending on the severity of the attack and the sensitivity of the device, you m
 >- Full isolation is available for devices on Windows 10, version 1703.
 >- Selective isolation is available for devices on Windows 10, version 1709 or later.
 
-This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device.
+This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.
 
 On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
 
@@ -175,7 +175,7 @@ Once you have selected **Isolate device** on the device page, type a comment and
 ![Image of isolate device](images/isolate-device.png)
 
 >[!NOTE]
->The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
+>The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
 
 **Notification on device user**:</br>
 When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:

windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
 ## API description
@@ -37,7 +37,7 @@ Restrict execution of all applications on the device except a predefined set.
 [!include[Device actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---

windows/security/threat-protection/microsoft-defender-atp/review-alerts.md

@@ -18,18 +18,18 @@ ms.topic: conceptual
 ms.date: 5/1/2020
 ---
 
-# Review alerts in Microsoft Defender Advanced Threat Protection
+# Review alerts in Microsoft Defender for Endpoint
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
 
-The alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
+The alert page in Microsoft Defender for Endpoint provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
 
 Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
 
@@ -37,7 +37,7 @@ Quickly triage, investigate, and take effective action on alerts that affect you
 
 ## Getting started with an alert
 
-Clicking on an alert's name in Microsoft Defender ATP will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
+Clicking on an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
 
 1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
 2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
@@ -46,7 +46,7 @@ Clicking on an alert's name in Microsoft Defender ATP will land you on its alert
 
 ![An alert page when you first land on it](images/alert-landing-view.png)
 
-Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Microsoft Defender ATP.
+Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Defender for Endpoint.
 Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
 
 ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)

windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md

@@ -22,9 +22,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 ## Limitations
 1. You can only run a query on data from the last 30 days.
@@ -36,7 +36,7 @@ ms.topic: article
 5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. 
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
@@ -137,6 +137,6 @@ Here is an example of the response.
 ```
 
 ## Related topic
-- [Microsoft Defender ATP APIs introduction](apis-intro.md)
+- [Microsoft Defender for Endpoint APIs introduction](apis-intro.md)
 - [Advanced Hunting from Portal](advanced-hunting-query-language.md)
 - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)

windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md

@@ -22,7 +22,7 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
 Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
@@ -65,7 +65,7 @@ $aadToken = $response.access_token
 
 where
 - $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
-- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
+- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Defender for Endpoint)
 - $appSecret: Secret of your Azure AD app
 
 ## Run query
@@ -117,6 +117,6 @@ $results | ConvertTo-Json | Set-Content file1.json
 
 
 ## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
+- [Microsoft Defender for Endpoint APIs](apis-intro.md)
 - [Advanced Hunting API](run-advanced-query-api.md)
 - [Advanced Hunting using Python](run-advanced-query-sample-python.md)

windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md

@@ -24,7 +24,7 @@ ms.topic: article
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
 
@@ -68,7 +68,7 @@ aadToken = jsonResponse["access_token"]
 
 where
 - tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
-- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
+- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)
 - appSecret: Secret of your Azure AD app
 
 ## Run query
@@ -147,6 +147,6 @@ outputFile.close()
 
 
 ## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
+- [Microsoft Defender for Endpoint APIs](apis-intro.md)
 - [Advanced Hunting API](run-advanced-query-api.md)
 - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)

windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
 ## API description
@@ -37,7 +37,7 @@ Initiate Microsoft Defender Antivirus scan on a device.
 [!include[Device actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---

windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md

@@ -19,7 +19,7 @@ ms.collection:
 ms.topic: article
 ---
 
-# Run a detection test on a newly onboarded Microsoft Defender ATP device 
+# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device 
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
@@ -30,10 +30,10 @@ ms.topic: article
 - Windows Server 2016
 - Windows Server, version 1803
 - Windows Server, 2019
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
-Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service.
+Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
 
 1. Create a folder:  'C:\test-MDATP-test'.
 2. Open an elevated command-line prompt on the device and run the script:
@@ -55,4 +55,4 @@ The Command Prompt window will close automatically. If successful, the detection
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Onboard servers](configure-server-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
+- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)

windows/security/threat-protection/microsoft-defender-atp/score.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 

windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md

@@ -23,9 +23,9 @@ ms.topic: conceptual
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) 
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) 
 
 The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. 
 
@@ -59,7 +59,7 @@ Each group is further sub-categorized into their corresponding alert severity le
 
 For more information see, [Alerts overview](alerts-queue.md).
 
-Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see,  [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md).
+Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see,  [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md).
 
 
 ## Devices at risk
@@ -69,16 +69,16 @@ This tile shows you a list of devices with the highest number of active alerts.
 
 Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
 
-You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
+You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md).
 
 ## Devices with sensor issues
-The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices.
+The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices.
 
 ![Devices with sensor issues tile](images/atp-tile-sensor-health.png)
 
 There are two status indicators that provide information on the number of devices that are not reporting properly to the service:
-- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
-- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
+- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender for Endpoint service and might have configuration errors that need to be corrected.
+- **Inactive** - Devices that have stopped reporting to the Microsoft Defender for Endpoint service for more than seven days in the past month.
 
 When you click any of the groups, you’ll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md).
 
@@ -87,7 +87,7 @@ The **Service health** tile informs you if the service is active or if there are
 
 ![The Service health tile shows an overall indicator of the service](images/status-tile.png)
 
-For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md).
+For more information on the service health, see [Check the Microsoft Defender for Endpoint service health](service-status.md).
 
 
 ## Daily devices reporting
@@ -116,10 +116,10 @@ The tile shows you a list of user accounts with the most active alerts and the n
 
 Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
 
 ## Related topics
-- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
+- [Understand the Microsoft Defender for Endpoint portal](use.md)
 - [Portal overview](portal-overview.md)
 - [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)

windows/security/threat-protection/microsoft-defender-atp/service-status.md

@@ -17,19 +17,19 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Check the Microsoft Defender Advanced Threat Protection service health
+# Check the Microsoft Defender for Endpoint service health
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
 
-**Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+**Service health** provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
 
 You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
 
@@ -41,7 +41,7 @@ The **Service health** details page has the following tabs:
 - **Status history**
 
 ## Current status
-The **Current status** tab shows the current state of the Microsoft Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
+The **Current status** tab shows the current state of the Defender for Endpoint service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
 
 - Date and time for when the issue was detected
 - A short description of the issue

windows/security/threat-protection/microsoft-defender-atp/set-device-value.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 ## API description
 
@@ -39,7 +39,7 @@ See [assign device values](tvm-assign-device-value.md) for more information.
 
 ## Permissions
 
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 
 Permission type |    Permission    |    Permission display name
 :---|:---|:---

windows/security/threat-protection/microsoft-defender-atp/software.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 

windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md

@@ -21,9 +21,9 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
 ## API description
@@ -37,7 +37,7 @@ Stop execution of a file on a device and delete it.
 [!include[Device actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---

windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md

@@ -23,10 +23,10 @@ ms.topic: conceptual
 
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 > [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) 
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) 
 
 Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls.