Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

.openpublishing.publish.config.json

@@ -551,7 +551,11 @@
     ]
   },
   "need_generate_pdf_url_template": true,
-  "targets": {},
+  "targets": {
+    "Pdf": {
+      "template_folder": "_themes.pdf"
+    }
+  },
   "need_generate_pdf": false,
   "need_generate_intellisense": false
 }

.openpublishing.redirection.json

@@ -13934,5 +13934,10 @@
 "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
 "redirect_document_id": false
 },
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics",
+"redirect_document_id": true
+},
 ]
 }

devices/hololens/hololens-install-localized.md

@@ -28,6 +28,7 @@ In order to switch to the Chinese or Japanese version of HoloLens, you’ll need
 8. Select **Install software** and follow the instructions to finish installing. 
 9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. 
  
+When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds.  The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. 
 
 ## Note for language support
 

mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md

@@ -32,55 +32,55 @@ This section contains release notes for User Experience Virtualization.
 
 When a computer has an application that is installed through both Application Virtualization (App-V) and a locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies.
 
-WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both.
+**WORKAROUND:** To resolve this problem, run the application by selecting one of the two technologies, but not both.
 
 ### <a href="" id="settings-do-not-synchronization-when-network-share-is-outside-user-s-domain"></a>Settings do not synchronization when network share is outside user’s domain
 
 When Windows® 8 attempts operating system settings synchronization, the synchronization fails with the following error message: **boost::filesystem::exists::Incorrect user name or password**. This error can indicate that the network share is outside the user’s domain or a domain with a trust relationship to that domain. To check for operational log events, open the **Event Viewer** and navigate to **Applications and Services Logs** / **Microsoft** / **User Experience Virtualization** / **Logging** / **Operational**. Network shares that are used for UE-V settings storage locations should reside in the same Active Directory domain as the user or a trusted domain of the user’s domain.
 
-WORKAROUND: Use network shares from the same Active Directory domain as the user.
+**WORKAROUND:** Use network shares from the same Active Directory domain as the user.
 
 ### Unpredictable results with both Office 2010 and Office 2013 installed
 
 When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used.
 
-WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V.
+**WORKAROUND:** Install only one version of Office or limit which settings are synchronized by UE-V.
 
 ### Uninstall and re-install of Windows 8 app reverts settings to initial state
 
 While using UE-V settings synchronization for a Windows 8 app, if the user uninstalls the app and then reinstalls the app, the app’s settings revert to their default values.  This happens because the uninstall removes the local (cached) copy of the app’s settings but does not remove the local UE-V settings package.  When the app is reinstalled and launched, UE-V gather the app settings that were reset to the app defaults and then uploads the default settings to the central storage location.  Other computers running the app then download the default settings.  This behavior is identical to the behavior of desktop applications.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### Email signature roaming for Outlook 2010
 
 UE-V will roam the Outlook 2010 signature files between devices. However, the default signature options for new messages and replies or forwards are not synchronized. These two settings are stored in the Outlook profile, which UE-V does not roam.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
 
-We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click here. ([http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx](https://go.microsoft.com/fwlink/?LinkID=247623)). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
+We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions).
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### <a href="" id="msi-s-are-not-localized"></a>MSI’s are not localized
 
 UE-V 2.0 includes a localized setup program for both the UE-V Agent and UE-V generator. These MSI files are still available but the user interface is minimized and the MSI’s only display in English. Despite the file being in English, the setup program installs all supported languages during the installation.
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### Favicons that are associated with Internet Explorer 9 favorites do not roam
 
 The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer.
 
-WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
+**WORKAROUND:** Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
 
 ### File settings paths are stored in registry
 
 Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers.
 
-WORKAROUND: Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
+**WORKAROUND:** Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
 
 ### Long Settings Storage Paths could cause an error
 
@@ -90,25 +90,25 @@ Keep settings storage paths as short as possible. Long paths could prevent resol
 
 To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational.
 
-WORKAROUND: None.
+**WORKAROUND:** None.
 
 ### Some operating system settings only roam between like operating system versions
 
 Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8.
 
-WORKAROUND: None
+**WORKAROUND:** None
 
 ### Windows 8 apps do not sync settings when the app restarts after closing unexpectedly
 
 If a Windows 8 app closes unexpectedly soon after startup, settings for the application may not be synchronized when the application is restarted.
 
-WORKAROUND: Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app.
+**WORKAROUND:** Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app.
 
 ### <a href="" id="ue-v-1-agent-generates-errors-when-running-ue-v-2-templates-"></a>UE-V 1 agent generates errors when running UE-V 2 templates
 
 If a UE-V 2 settings location template is distributed to a computer installed with a UE-V 1 agent, some settings fail to synchronize between computers and the agent reports errors in the event log.
 
-WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates.
+**WORKAROUND:** When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates.
 
 ## Hotfixes and Knowledge Base articles for UE-V 2.0
 

windows/client-management/mdm/oma-dm-protocol-support.md

@@ -314,13 +314,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen
 
 ## User targeted vs. Device targeted configuration
 
-For CSPs and policies that supports per user configuration, MDM server could send user targeted setting values to the device the user that enrolled MDM is actively logged in. The device notifies the server the login status via a device alert (1224) with Alert type = in DM pkg\#1.
+For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1.
 
 The data part of this alert could be one of following strings:
 
--   user – the user that enrolled the device is actively login. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
+-   user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
 -   others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
--   none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login
+-   none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
 
 Below is an alert example:
 

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -422,7 +422,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
             <CmdID>$CmdID$</CmdID>
             <Item>
                 <Target>
-                    <LocURI>./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI>
                 </Target>
                 <Meta>
                     <Format xmlns="syncml:metinf">string</Format>

windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md

@@ -25,14 +25,14 @@ ms.topic: article
 
 You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
 
-After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
+After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. 
 
 ## Command-Line Options for Deploying Customized Database Files
 
 
 The command-line options use the following conventions.
 
-Sdbinst.exe \[-q\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] \[-?\]
+Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
 
 The following table describes the available command-line options.
 
@@ -78,8 +78,14 @@ The following table describes the available command-line options.
 <p>For example,</p>
 <p><code>sdbinst.exe -?</code></p></td>
 </tr>
+<tr class="even">
+<td align="left"><p>-p</p></td>
+<td align="left"><p>Allows SDBs installation with Patches</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
+</tr>
 </tbody>
 </table>
 
 ## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

windows/deployment/planning/windows-10-1803-removed-features.md

@@ -51,4 +51,4 @@ If you have feedback about the proposed replacement of any of these features, yo
 |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
 |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
 |[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
-|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|
+|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

windows/hub/release-information.md

@@ -11,15 +11,23 @@ author: lizap
 ms.author: elizapo
 ms.localizationpriority: high
 ---
-# Windows 10 release information
+# Windows 10 - Release information
 
-Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
+>[!IMPORTANT]
+> The URL for the release information page has changed - update your bookmark!
 
-Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
+Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). 
 
->[!NOTE]
->If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
+If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. 
+
+If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC.  
+
+**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher).   
+
+November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809.
  
+For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).   
+
 <br>
 
 <div class="m-rich-content-block" data-grid="col-12">

windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md

@@ -95,6 +95,7 @@ This policy setting controls whether the elevation request prompt is displayed o
 
 -   **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
 -   **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
 ## User Account Control: Virtualize file and registry write failures to per-user locations
 
 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -10,7 +10,7 @@ ms.author: pashort
 manager: elizapo
 ms.reviewer: 
 ms.localizationpriority: medium
-ms.date: 01/26/2019
+ms.date: 03/21/2019
 ---
 
 # VPN and conditional access
@@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo
 
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. 
-
-    Additional details regarding the Azure AD issued short-lived certificate: 
-    - The default lifetime is 60 minutes and is configurable
-    - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
 
 - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
 

windows/security/threat-protection/TOC.md

@@ -73,8 +73,8 @@
 
 
 #### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Threat analytics](windows-defender-atp/threat-analytics.md)
-###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [Threat analytics](windows-defender-atp/threat-analytics.md)
+
 #### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
 ##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
 ###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md

@@ -15,12 +15,12 @@ ms.topic: conceptual
 ms.date: 04/19/2017
 ---
 
-# Network security: Configure encryption types allowed for Kerberos Win7 only
+# Network security: Configure encryption types allowed for Kerberos
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting.
+Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
 
 ## Reference
 
@@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Default domain policy| Not defined|
 | Default domain controller policy| Not defined|
 | Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.|
-| Member server effective default settings | None of these encryption types that are available in this policy are allowed.|
-| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|
+| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
+| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
+| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
  
 ## Security considerations
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -0,0 +1,489 @@
+---
+title: Microsoft Defender ATP for Mac
+description: Describes how to install and use Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Mac
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. 
+Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. 
+
+## Prerequisites
+You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
+
+You should also have access to Windows Defender Security Center.
+
+### System Requirements
+Microsoft Defender ATP for Mac system requirements:
+- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
+- Disk space during preview: 1GB 
+- The following URLs must be accessible from the Mac device:
+  - ```https://fresno.blob.core.windows.net/preview/macos/wdav.pkg ```<br>
+  - ```https://cdn.x.cp.wd.microsoft.com/ ```<br>
+  - ```https://eu-cdn.x.cp.wd.microsoft.com/ ```<br>
+  - ```https://wu-cdn.x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://asia.x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://australia.x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://europe.x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://unitedkingdom.x.cp.wd.microsoft.com/ ``` <br>
+  - ```https://unitedstates.x.cp.wd.microsoft.com/ ``` <br>
+
+## Installation and configuration overview
+There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
+In general you'll need to take the following steps:
+- [Register macOS devices](#register-macos-devices) with Windows Defender ATP
+- Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
+  - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
+  - [JAMF based deployment](#jamf-based-deployment)
+  - [Manual deployment](#manual-deployment)
+
+## Register macOS devices
+To onboard your devices for Microsoft Defender ATP for Mac, you must register the devices with Windows Defender ATP and provide consent to submit telemetry.
+
+Use the following URL to give consent to submit telemetry: ```https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=f9eb614c-7a8e-422a-947d-2059e657d855&response_type=code&sso_reload=true```
+
+> [!NOTE]
+> You may get an error that a page on ```https://ppe.fresno.wd.microsoft.com``` cannot be opened. Disregard the error as it does not affect the onboarding process.
+
+
+![App registration permission screenshot](images/MDATP_1_RegisterApp.png)
+
+## Deploy Microsoft Defender ATP for Mac
+Use any of the supported methods to deploy Microsoft Defender ATP for Mac
+
+## Microsoft Intune based deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+5.	Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+6. From a command prompt, verify that you have the three files. 
+    Extract the contents of the .zip files:
+    
+    ```
+    mavel-macmini:Downloads test$ ls -l
+    total 721688
+    -rw-r--r--  1 test  staff     269280 Mar 15 11:25 IntuneAppUtil
+    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+      inflating: intune/kext.xml
+      inflating: intune/WindowsDefenderATPOnboarding.xml
+      inflating: jamf/WindowsDefenderATPOnboarding.plist
+    mavel-macmini:Downloads test$
+    ```
+7.	Make IntuneAppUtil an executable:
+
+    ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
+
+8. Create the wdav.pkg.intunemac package from wdav.pkg:
+
+    ```
+    mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+    Microsoft Intune Application Utility for Mac OS X
+    Version: 1.0.0.0
+    Copyright 2018 Microsoft Corporation
+
+    Creating intunemac file for /Users/test/Downloads/wdav.pkg
+    Composing the intunemac file output
+    Output written to ./wdav.pkg.intunemac.
+
+    IntuneAppUtil successfully processed "wdav.pkg",
+    to deploy refer to the product documentation.
+    ```
+
+### Client Machine Setup
+You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
+
+1. You'll be asked to confirm device management.
+
+![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
+
+2. Click the **Continue** button, and your Management Profile is displayed as verified:
+
+![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
+
+You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
+
+3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
+
+![Add Devices screenshot](images/MDATP_5_allDevices.png)
+
+### Create System Configuration profiles
+1.	In Intune open the **Manage > Device configuration** blade. Click **Manage > Profiles > Create Profile**.
+2.	Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Click **Configure**.
+3.	Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+4.	Click **OK**.
+
+    ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
+
+5. **Click Manage > Assignments**. In the **Include** tab, click **Assign to All Users & All devices**.
+7.	Repeat these steps with the second profile.  
+8.	Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. 
+9.	Click **Manage > Assignments**.  In the Include tab, click **Assign to All Users & All devices**.
+
+After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
+
+![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
+
+### Publish application
+
+1.	In Intune, open the **Manage > Client apps** blade. Click **Apps > Add**.
+2.	Select **App type=Other/Line-of-business app**.
+3.	Select **file=wdav.pkg.intunemac**. Click **OK** to upload.
+4.	Click **Configure** and add the required information.
+5.	Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
+
+    ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
+
+6. Click **OK** and **Add**.
+ 
+    ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
+
+7. It will take a while to upload the package. After it's done, click the name and then go to **Assignments** and **Add group**.
+
+    ![Client apps screenshot](images/MDATP_10_ClientApps.png)
+
+8. Change **Assignment type=Required**.
+9.	Click **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+
+    ![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
+
+10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade:
+
+    ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
+
+### Verify client machine state
+1.	After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences  > Profiles**.
+
+    ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
+    ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
+
+2. Verify the three profiles listed there:
+    ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
+
+3.	The **Management Profile** should be the Intune system profile.
+4.	wdav-config and wdav-kext are system configuration profiles that we added in Intune.
+5.	You should also see the Microsoft Defender icon in the top-right corner:
+
+    ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+## JAMF based deployment
+### Prerequsites
+You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. 
+
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+5. From a command prompt, verify that you have the two files. 
+    Extract the contents of the .zip files:
+    
+    ```
+    mavel-macmini:Downloads test$ ls -l
+    total 721160
+    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+    inflating: intune/kext.xml
+     inflating: intune/WindowsDefenderATPOnboarding.xml
+     inflating: jamf/WindowsDefenderATPOnboarding.plist
+    mavel-macmini:Downloads test$
+    ``` 
+
+### Create JAMF Policies
+You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines.
+
+#### Configuration Profile
+The configuration profile contains one custom settings payload that includes:
+
+- Microsoft Defender ATP for Mac onboarding information 
+- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run
+
+
+1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File.
+
+    >[!NOTE]
+    > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain.
+
+    ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
+
+#### Approved Kernel Extension
+
+To approve the kernel extension:
+1.	In **Computers > Configuration Profiles** click **Options > Approved Kernel Extensions**.
+2.	Use **UBF8T346G9** for Team Id.
+
+![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
+
+#### Configuration Profile's Scope 
+Configure the appropriate scope to specify the machines that will receive this configuration profile.
+
+In the Configuration Profiles, click **Scope > Targets**. Select the appropriate Target computers. 
+
+![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
+
+Save the **Configuration Profile**.
+
+Use the **Logs** tab to monitor deployment status for each enrolled machine.
+
+#### Package
+1. Create a package in **Settings > Computer Management > Packages**.
+
+    ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
+
+2. Upload wdav.pkg to the Distribution Point. 
+3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
+
+#### Policy
+Your policy should contain a single package for Microsoft Defender.
+
+![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png)
+
+Configure the appropriate scope to specify the computers that will receive this policy.
+
+After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine.
+
+### Client machine setup
+You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment.
+
+> [!NOTE]
+>  After a computer is enrolled, it will show up in the Computers inventory (All Computers). 
+
+1.	Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and click **Approve** on the MDM Profile.
+
+![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
+![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
+
+After some time, the machine's User Approved MDM status will change to Yes. 
+
+![MDM status screenshot](images/MDATP_23_MDMStatus.png)
+
+You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
+
+
+### Deployment
+Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
+
+#### Status on server
+You can monitor the deployment status in the Logs tab:
+ - **Pending** means that the deployment is scheduled but has not yet happened 
+ - **Completed** means that the deployment succeeded and is no longer scheduled
+
+![Status on server screenshot](images/MDATP_24_StatusOnServer.png)
+
+
+#### Status on client machine
+After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile.
+
+![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
+
+After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+You can monitor policy installation on a machine by following the JAMF's log file:
+
+```
+mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
+Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
+Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
+Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
+Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
+```
+
+You can also check the onboarding status:
+```
+mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+uuid            : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+orgid           : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid managed   : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+```
+
+- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
+
+- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
+
+### Uninstalling Microsoft Defender ATP for Mac
+#### Uninstalling with a script
+
+Create a script in **Settings > Computer Management > Scripts**.
+
+![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
+
+For example, this script removes Microsoft Defender ATP from the /Applications directory:
+
+```
+echo "Is WDAV installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Uninstalling WDAV..."
+rm -rf '/Applications/Microsoft Defender.app'
+
+echo "Is WDAV still installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Done!"
+```
+
+#### Uninstalling with a policy
+Your policy should contain a single script:
+
+![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
+
+Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
+
+### Check onboarding status
+
+You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
+
+```
+/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+```
+
+This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
+
+## Manual deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+5. From a command prompt, verify that you have the two files. 
+    Extract the contents of the .zip files:
+    
+    ```
+   mavel-macmini:Downloads test$ ls -l
+    total 721152
+    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    inflating: WindowsDefenderATPOnboarding.py
+    ``` 
+
+### Application installation
+To complete this process, you must have admin privileges on the machine.
+
+1. Download the wdav.pkg from: https://fresno.blob.core.windows.net/preview/macos/wdav.pkg.
+
+2. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+    ![App install screenshot](images/MDATP_28_AppInstall.png)
+
+3. Click **Continue**, agree with the License terms, and enter the password when prompted.
+
+    ![App install screenshot](images/MDATP_29_AppInstallLogin.png)
+
+   > [!IMPORTANT]
+   > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
+
+   ![App install screenshot](images/MDATP_30_SystemExtension.png)
+
+4. Click **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Click **Allow**:
+
+    ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
+
+
+The installation will proceed.
+
+> [!NOTE]
+> If you don't click **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+
+### Client configuration
+1.	Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
+
+    The client machine is not associated with orgId.  Note that the orgid is blank.
+
+    ```
+    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+    orgid :
+    ```
+2.	Install the configuration file on a client machine:
+
+    ```
+    mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
+    Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
+    ```
+
+3.	Verify that the machine is now associated with orgId:
+
+    ```
+    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+    orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
+    ```
+After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+   ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+## Uninstallation
+### Removing Microsoft Defender ATP from Mac devices
+To remove Microsoft Defender ATP from your macOS devices:
+
+- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
+
+Or, from a command line:
+
+- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
+
+## Known issues
+- Microsoft Defender ATP is not yet optimized for performance or disk space.
+- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround) an uninstall action has to be completed on each client device).
+- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
+- Full Windows Defender ATP integration is not yet available
+- Not localized yet
+- There might be accessibility issues 
+
+### Installation issues
+If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. 
+
+ 
+For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_.
+
+
+

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -70,8 +70,8 @@
 
 
 ### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
-#### [Threat analytics](threat-analytics.md)
-#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+### [Threat analytics](threat-analytics.md)
+
 
 
 ### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -40,7 +40,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 
 >[!NOTE]
 > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it.
+>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 
 
 ## Block file
@@ -91,6 +91,14 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
 
+## Microsoft Threat Experts
+This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
+
+>[!NOTE]
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+
+
 ## Microsoft Cloud App Security
 Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. 
 

windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md

@@ -81,27 +81,49 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
     
     c.  Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages. <br>
 
-    **Step 2: Open a support ticket**
-    
- >[!NOTE]
- >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account.  However, you will not be charged for the Experts-on-demand service during the preview.
-
+    **Step 2: Open a support ticket**    
+    >[!NOTE]
+    >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account.  However, you will not be charged for the Experts-on-demand service during the preview.
+ 
     a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**: <br>
 
-     - **Select the product family**: **Security**
-     - **Select a product**: **Microsoft Threat Experts**
-     - **Select a category that best describes the issue**: **Windows Defender ATP**
-     - **Select a problem that best describes the issue**: Choose according to your inquiry category  
+    **Select the product family**: **Security**<br>
+    **Select a product**: **Microsoft Threat Experts**<br>
+    **Select a category that best describes the issue**: **Windows Defender ATP**<br>
+    **Select a problem that best describes the issue**: Choose according to your inquiry category<br>  
        
-    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
+    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.  <br>
     
-    c. In the **Select a support plan** page, select **Professional No Charge**.
+    c. In the **Select a support plan** page, select **Professional No Charge**. <br>
 
-    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
+    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**. <br>
     
-    e. Verify your contact details and add another if necessary. Then, click **Next**.
+    e. Verify your contact details and add another if necessary. Then, click **Next**. <br>
 
-    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
+    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. <br>
+
+## Sample questions to ask Microsoft Threat Experts
+**Alert information**
+- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
+- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
+- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. 
+
+**Possible machine compromise**
+- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
+- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
+
+**Threat intelligence details**
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
+- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor? 
+
+**Microsoft Threat Experts’ alert communications** 
+- Can your incident response team help us address the targeted attack notification that we got?
+- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
+- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
+
+ >[!NOTE]
+ >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
 
 ## Scenario
 

windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Supported Windows Defender ATP query APIs 

windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md

@@ -67,7 +67,15 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
 
-2.  Select **Create a supression rule**.
+2.  Select **Create a suppression rule**.
+
+    You can create a suppression rule based on the following attributes:
+    
+    * File hash 
+    * File name - wild card supported
+    * File path - wild card supported
+    * IP
+    * URL - wild card supported
 
 3. Select the **Trigerring IOC**.
     

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Create custom reports using Power BI (app authentication)

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Create custom reports using Power BI (user authentication)

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Advanced Hunting using Python

windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md

@@ -1,57 +0,0 @@
----
-title: Threat analytics for Spectre and Meltdown
-description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
-keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status 
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 09/03/2018
----
-
-# Threat analytics for Spectre and Meltdown
-**Applies to:**
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization.
-
-[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
-
-Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors.
-
-## Prerequisites
-Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network:
-
-- Only active machines running Windows 10 are checked for OS mitigations.
-- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only.
-- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to Security intelligence version 1.259.1545.0 or above.
-- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information.
-
-## Assess organizational risk with Threat analytics
-
-Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations:
-
-- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates
-- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them
-- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits 
-
-
-To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**.
-
-Click a section of each chart to get a list of the machines in the corresponding mitigation status.
-
-## Related topics
-- [Threat analytics](threat-analytics.md)
-- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md)
-- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-
-

windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md

@@ -37,7 +37,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
 
 ## Requirements
 
-Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
+Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
 
 Windows 10 version | Windows Defender Antivirus
 - | -

windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md

@@ -36,7 +36,7 @@ There are four steps to troubleshooting these problems:
 Attack surface reduction rules will only work on devices with the following conditions:
 
 >[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
+> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -60,7 +60,7 @@ This section covers requirements for each feature in Windows Defender EG.
 | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
 | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
 | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |