Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

.openpublishing.publish.config.json

@@ -524,6 +524,10 @@
     "master": [
       "Publish",
       "Pdf"
+    ],
+    "atp-api-danm": [
+      "Publish",
+      "Pdf"
     ]
   },
   "need_generate_pdf_url_template": true,

mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md

@@ -22,7 +22,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
 
-2.  Run the downloaded file to extract the template folders.
+2.  Expand the downloaded .cab file by running `expand <download_folder>\MDOP_ADMX_Templates.cab -F:* <destination_folder>`
 
     **Warning**  
     Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.

windows/application-management/apps-in-windows-10.md

@@ -18,124 +18,25 @@ The following types of apps run on Windows 10:
 - "Win32" apps - traditional Windows applications.
 
 Digging into the Windows apps, there are two categories:
-- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
-- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
+- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps:
    - Provisioned: Installed in user account the first time you sign in with a new user account.
    - Installed: Installed as part of the OS.
+- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS.
 
 The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI.
 
 Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
 
-> [!TIP]
-> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
-> ```powershell
-> Get-AppxPackage | select Name,PackageFamilyName
-> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName
-> ```
-
-## System apps
-
-System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
-
-| Name             | Full name                                 |1703  | 1709 | 1803 |Uninstall through UI?                                  |
-|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------|
-| Cortana UI       | CortanaListenUIApp                        | x    |      |      |No                                                     |
-|                  | Desktop Learning                          | x    |      |      |No                                                     |
-|                  | DesktopView                               | x    |      |      |No                                                     |
-|                  | EnvironmentsApp                           | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloCamera                                | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloItemPlayerApp                         | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloShell                                 | x    |      |      |No                                                     |
-|                  | InputApp                                  |      |  x   | x    |No                                                     |
-|                  | Microsoft.AAD.Broker.Plugin               | x    |  x   | x    |No                                                     |
-|                  | Microsoft.AccountsControl                 | x    |  x   | x    |No                                                     |
-| Hello setup UI   | Microsoft.BioEnrollment                   | x    |  x   | x    |No                                                     |
-|                  | Microsoft.CredDialogHost                  | x    |  x   | x    |No                                                     |
-|                  | Microsoft.ECApp                           |      |  x   | x    |No                                                     |
-|                  | Microsoft.LockApp                         | x    |  x   | x    |No                                                     |
-| Microsoft Edge   | Microsoft.Microsoft.Edge                  | x    |  x   | x    |No                                                     |
-|                  | Microsoft.PPIProjection                   | x    |  x   | x    |No                                                     |
-|                  | Microsoft.Windows. Apprep.ChxApp           | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. AssignedAccessLockApp   | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. CloudExperienceHost     | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ContentDeliveryManager  | x    |  x  | x    |No                                                     |
-| Cortana          | Microsoft.Windows.Cortana                  | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. Holographic.FirstRun    | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ModalSharePickerHost    | x    |     |      |No                                                     |
-|                  | Microsoft.Windows. OOBENetworkCaptivePort  | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. OOBENetworkConnectionFlow  | x |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ParentalControls        | x    |  x  | x    |No                                                     |
-| People Hub       | Microsoft.Windows. PeopleExperienceHost    |      |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. PinningConfirmationDialog  |   |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. SecHealthUI             | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. SecondaryTileExperience | x    |  x  |      |No                                                     |
-|                  | Microsoft.Windows. SecureAssessmentBrowser | x    |  x  | x    |No                                                     |
-| Start            | Microsoft.Windows. ShellExperienceHost     | x    |  x  | x    |No                                                     |
-| Windows Feedback | Microsoft.WindowsFeedback                  | *    |  *  |      |No                                                     |
-|                  | Microsoft.XboxGameCallableUI               | x    |  x  |  x   |No                                                     |
-| Contact Support* | Windows.ContactSupport                     | x    |  *  |      |Via Optional Features app                      |
-| Settings         | Windows.ImmersiveControlPanel              | x    |  x  |      |No                                                     |
-| Connect          | Windows.MiracastView                       | x    |     |      |No                                                     |
-| Print 3D         | Windows.Print3D                            |      |  x  |      |Yes                                                    |
-| Print UI         | Windows.PrintDialog                        | x    |  x  |  x   |No                                                     |
-| Purchase UI      | Windows.PurchaseDialog                     |      |     | x    |No                                                     |
-|                  | Microsoft.AsyncTextService                 |      |     | x    |No                                                     |
-|                  | Microsoft.MicrosoftEdgeDevToolsClient      |      |     | x    |No                                                     |
-|                  | Microsoft.Win32WebViewHost                 |      |     | x    |No                                                     |
-|                  | Microsoft.Windows.CapturePicker            |      |     | x    |No                                                     |
-|                  | Windows.CBSPreview                         |      |     | x    |No                                                     |
-|File Picker       | 1527c705-839a-4832-9118-54d4Bd6a0c89       |      |     | x    |No                                                     |
-|File Explorer     | c5e2524a-ea46-4f67-841f-6a9465d9d515       |      |     | x    |No                                                     |
-|App Resolver      | E2A4F912-2574-4A75-9BB0-0D023378592B       |      |     | x    |No                                                     |
-|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE||     | x    |No                                                     |
-
-> [!NOTE]
-> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
-
-## Installed Windows apps
-
-Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
-
-| Name               | Full name                                | 1703 | 1709 | 1803 |Uninstall through UI? |
-|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:|
-| Remote Desktop     | Microsoft.RemoteDesktop                  | x    | x    |      | Yes                  |
-| PowerBI            | Microsoft.Microsoft PowerBIforWindows    | x    |      |      | Yes                  |
-| Code Writer        | ActiproSoftwareLLC.562882FEEB491         | x    | x    | x    | Yes                  |
-| Eclipse Manager    | 46928bounde.EclipseManager               | x    | x    | x    | Yes                  |
-| Pandora            | PandoraMediaInc.29680B314EFC2            | x    | x    | x    | Yes                  |
-| Photoshop Express  | AdobeSystemIncorporated. AdobePhotoshop  | x    | x    | x    | Yes                  |
-| Duolingo           | D5EA27B7.Duolingo- LearnLanguagesforFree | x    | x    | x    | Yes                  |
-| Network Speed Test | Microsoft.NetworkSpeedTest               | x    | x    | x    | Yes                  |
-| News               | Microsoft.BingNews                       | x    | x    | x    | Yes                  |
-| Flipboard          |                                          |      |      |      | Yes                  |
-|                    | Microsoft.Advertising.Xaml               | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.2       | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.3       | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.6       |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.7       |      |      | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.2.0       |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.1         |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.3         | x    | x    |      | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.4         | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.6         |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.7         |      |      | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.2.0         |      | x    | x    | Yes                  |
-|                    | Microsoft.Services.Store.Engagement      |      | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.120.00                  | x    | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.120.00.Universal        |      | x    |      | Yes                  |
-|                    | Microsoft.VCLibs.140.00.UWPDesktop       |      |      | x    | Yes                  |
-|                    | Microsoft.WinJS.2.0                      | x    |      |      | Yes                  |
----
 
 ## Provisioned Windows apps
 
 Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
 
-```
-> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName
-```
+> [!TIP]
+> You can list all provisioned Windows apps with this PowerShell command:
+> ```
+> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+> ```
 
 | Package name                           | App name                                                                                                           | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
 |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
@@ -186,3 +87,105 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 >[!NOTE]
 >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
 ---
+
+## System apps
+
+System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
+
+> [!TIP]
+> You can list all system apps with this PowerShell command:
+> ```
+> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+> ```
+
+| Name                             | Package Name                                | 1703  | 1709 | 1803 | Uninstall through UI? |
+|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
+| File Picker                      | 1527c705-839a-4832-9118-54d4Bd6a0c89        |       |      | x    | No                    |
+| File Explorer                    | c5e2524a-ea46-4f67-841f-6a9465d9d515        |       |      | x    | No                    |
+| App Resolver UX                  | E2A4F912-2574-4A75-9BB0-0D023378592B        |       |      | x    | No                    |
+| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE        |       |      | x    | No                    |
+|                                  | InputApp                                    |       | x    | x    | No                    |
+| Cortana UI                       | CortanaListenUIApp                          | x     |      |      | No                    |
+|                                  | Desktop Learning                            | x     |      |      | No                    |
+|                                  | DesktopView                                 | x     |      |      | No                    |
+|                                  | EnvironmentsApp                             | x     |      |      | No                    |
+| Mixed Reality +                  | HoloCamera                                  | x     |      |      | No                    |
+| Mixed Reality +                  | HoloItemPlayerApp                           | x     |      |      | No                    |
+| Mixed Reality +                  | HoloShell                                   | x     |      |      | No                    |
+|                                  | Microsoft.AAD.Broker.Plugin                 | x     | x    | x    | No                    |
+|                                  | Microsoft.AccountsControl                   | x     | x    | x    | No                    |
+|                                  | Microsoft.AsyncTextService                  |       |      | x    | No                    |
+| Hello setup UI                   | Microsoft.BioEnrollment                     | x     | x    | x    | No                    |
+|                                  | Microsoft.CredDialogHost                    | x     | x    | x    | No                    |
+|                                  | Microsoft.ECApp                             |       | x    | x    | No                    |
+|                                  | Microsoft.LockApp                           | x     | x    | x    | No                    |
+| Microsoft Edge                   | Microsoft.MicrosoftEdge                     | x     | x    | x    | No                    |
+|                                  | Microsoft.MicrosoftEdgeDevToolsClient       |       |      | x    | No                    |
+|                                  | Microsoft.PPIProjection                     | x     | x    |      | No                    |
+|                                  | Microsoft.Win32WebViewHost                  |       |      | x    | No                    |
+|                                  | Microsoft.Windows.Apprep.ChxApp             | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.AssignedAccessLockApp     | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.CapturePicker             |       |      | x    | No                    |
+|                                  | Microsoft.Windows.CloudExperienceHost       | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.ContentDeliveryManager    | x     | x    | x    | No                    |
+| Cortana                          | Microsoft.Windows.Cortana                   | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.Holographic.FirstRun      | x     | x    |      | No                    |
+|                                  | Microsoft.Windows.ModalSharePickerHost      | x     |      |      | No                    |
+|                                  | Microsoft.Windows.OOBENetworkCaptivePort    | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.OOBENetworkConnectionFlow | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.ParentalControls          | x     | x    | x    | No                    |
+| People Hub                       | Microsoft.Windows.PeopleExperienceHost      |       | x    | x    | No                    |
+|                                  | Microsoft.Windows.PinningConfirmationDialog |       | x    | x    | No                    |
+|                                  | Microsoft.Windows.SecHealthUI               | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.SecondaryTileExperience   | x     | x    |      | No                    |
+|                                  | Microsoft.Windows.SecureAssessmentBrowser   | x     | x    | x    | No                    |
+| Start                            | Microsoft.Windows.ShellExperienceHost       | x     | x    | x    | No                    |
+| Windows Feedback                 | Microsoft.WindowsFeedback                   | *     | *    |      | No                    |
+|                                  | Microsoft.XboxGameCallableUI                | x     | x    | x    | No                    |
+|                                  | Windows.CBSPreview                          |       |      | x    | No                    |
+| Contact Support*                 | Windows.ContactSupport                      | x     | *    |      | Via Settings App      |
+| Settings                         | Windows.immersivecontrolpanel               | x     | x    | x    | No                    |
+| Connect                          | Windows.MiracastView                        | x     |      |      | No                    |
+| Print 3D                         | Windows.Print3D                             |       | x    |      | Yes                   |
+| Print UI                         | Windows.PrintDialog                         | x     | x    | x    | No                    |
+| Purchase UI                      | Windows.PurchaseDialog                      |       |      |      | No                    |
+
+
+> [!NOTE]
+> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
+
+## Installed Windows apps
+
+Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
+
+| Name               | Full name                                | 1703 | 1709 | 1803 |Uninstall through UI? |
+|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:|
+| Remote Desktop     | Microsoft.RemoteDesktop                  | x    | x    |      | Yes                  |
+| PowerBI            | Microsoft.Microsoft PowerBIforWindows    | x    |      |      | Yes                  |
+| Code Writer        | ActiproSoftwareLLC.562882FEEB491         | x    | x    | x    | Yes                  |
+| Eclipse Manager    | 46928bounde.EclipseManager               | x    | x    | x    | Yes                  |
+| Pandora            | PandoraMediaInc.29680B314EFC2            | x    | x    | x    | Yes                  |
+| Photoshop Express  | AdobeSystemIncorporated. AdobePhotoshop  | x    | x    | x    | Yes                  |
+| Duolingo           | D5EA27B7.Duolingo- LearnLanguagesforFree | x    | x    | x    | Yes                  |
+| Network Speed Test | Microsoft.NetworkSpeedTest               | x    | x    | x    | Yes                  |
+| News               | Microsoft.BingNews                       | x    | x    | x    | Yes                  |
+| Flipboard          |                                          |      |      |      | Yes                  |
+|                    | Microsoft.Advertising.Xaml               | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.2       | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.3       | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.6       |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.7       |      |      | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.2.0       |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.1         |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.3         | x    | x    |      | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.4         | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.6         |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.7         |      |      | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.2.0         |      | x    | x    | Yes                  |
+|                    | Microsoft.Services.Store.Engagement      |      | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.120.00                  | x    | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.120.00.Universal        |      | x    |      | Yes                  |
+|                    | Microsoft.VCLibs.140.00.UWPDesktop       |      |      | x    | Yes                  |
+|                    | Microsoft.WinJS.2.0                      | x    |      |      | Yes                  |
+---

windows/client-management/manage-settings-app-with-group-policy.md

@@ -38,7 +38,7 @@ Policy paths:
 The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). 
 
 >[!NOTE]  
-> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string.
+> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
 
 Here are some examples:
 

windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md

@@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re
 12. Enter the values for your package and specify the package output location.
 
     ![enter package information](images/bulk-enrollment3.png)
-    ![enter additonal information for package information](images/bulk-enrollment4.png)
+    ![enter additional information for package information](images/bulk-enrollment4.png)
     ![specify file location](images/bulk-enrollment6.png)
 13. Click **Build**.
 

windows/client-management/mdm/passportforwork-ddf.md

@@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
 
 The XML below is for Windows 10, version 1809.
 
-``` syntax
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
   "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
@@ -1262,7 +1262,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
                     <Replace />
                 </AccessType>
                 <DefaultValue>False</DefaultValue>
-                <Description>Enables/Disables Dyanamic Lock</Description>
+                <Description>Enables/Disables Dynamic Lock</Description>
                 <DFFormat>
                     <bool />
                 </DFFormat>

windows/deployment/TOC.md

@@ -215,6 +215,7 @@
 ### [Quick guide to Windows as a service](update/waas-quick-start.md)
 #### [Servicing stack updates](update/servicing-stack-updates.md)
 ### [Overview of Windows as a service](update/waas-overview.md)
+### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md)
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
 ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
@@ -260,6 +261,7 @@
 ##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
 ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
 ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md)
 ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
 ##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md)
 ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)

windows/deployment/update/waas-servicing-differences.md

@@ -0,0 +1,106 @@
+---
+title: Servicing differences between Windows 10 and older operating systems
+description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: KarenSimWindows
+ms.localizationpriority: medium
+ms.author: karensim
+ms.date: 11/09/2018
+---
+# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems 
+
+>Applies to: Windows 10 
+
+Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
+ 
+The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).    
+
+>[!NOTE]
+> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
+
+## Infinite fragmentation
+Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.  
+
+As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. 
+
+This resulted in a fragmented ecosystem  that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues.  Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+
+## Windows 10 – Next generation
+Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. 
+
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+
+![Servicing cadence](images/servicing-cadence.png)
+
+Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
+
+This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
+
+### Points to consider
+
+- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
+- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
+- For Windows 10, available update types vary by publishing channel: 
+   - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
+   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434).
+   - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
+- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
+
+## Windows 7 and legacy OS versions
+While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in aa fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.  
+
+Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates.
+
+The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+
+### Points to consider
+- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. 
+- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
+- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
+- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type – Monthly Rollup or Security-only – is recommended.
+- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
+- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
+- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. 
+
+## Public preview releases
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates.
+
+### Examples
+Windows 10 version 1709:
+
+- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
+- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
+- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
+
+All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. 
+
+![Servicing preview releases](images/servicing-previews.png)
+
+### Previews vs. on-demand releases
+In 2018, we experienced incidents that required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+
+#### Points to consider:
+- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
+- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. 
+- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
+- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
+
+In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. 
+
+
+## Resources
+- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) 
+- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) 
+- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)  
+- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)   
+- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)  
+- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) 
+- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) 
+- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)

windows/deployment/upgrade/upgrade-readiness-deploy-windows.md

@@ -1,8 +1,8 @@
 ---
-title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10)
+title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10)
 description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ms.date: 04/19/2017
 ---
 

windows/deployment/upgrade/upgrade-readiness-deployment-script.md

@@ -93,7 +93,7 @@ The deployment script displays the following exit codes to let you know if it wa
         <td>N/A</td>
     </tr>
     <tr>
-        <td>1 - Unexpected error occurred while executiEng the script.</td>
+        <td>1 - Unexpected error occurred while executing the script.</td>
         <td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
     </tr>
     <tr>

windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md

@@ -0,0 +1,48 @@
+---
+title: Monitor deployment with Upgrade Readiness
+description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades.
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, 
+ms.localizationpriority: medium
+ms.prod: w10
+author: jaimeo
+ms.author: jaimeo
+ms.date: 11/07/2018
+---
+
+# Upgrade Readiness - Step 4: Monitor
+
+Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements.
+
+![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png)
+ 
+ 
+## Update progress
+
+The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc.
+ 
+ 
+Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out.
+
+!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png)
+
+
+## Driver issues
+
+The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver.
+ 
+ 
+For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. 
+
+!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png)
+ 
+## User feedback
+
+The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar.
+ 
+ 
+We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications.
+ 
+When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.)  If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well.
+
+![Example user feedback item](../images/UR-example-feedback.png)
+ 

windows/deployment/windows-autopilot/TOC.md

@@ -6,6 +6,8 @@
 ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
 ### [Support for existing devices](existing-devices.md)
 ### [User-driven mode](user-driven.md)
+#### [Azure Active Directory joined](user-driven-aad.md)
+#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)
 ### [Self-deploying mode](self-deploying.md)
 ### [Enrollment status page](enrollment-status.md)
 ### [Windows Autopilot Reset](windows-autopilot-reset.md)

windows/deployment/windows-autopilot/user-driven-aad.md

@@ -9,11 +9,27 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ---
 
-# Windows Autopilot user-driven mode for Azure Active Directory
+# Windows Autopilot user-driven mode for Azure Active Directory join
 
 **Applies to: Windows 10**
 
-PLACEHOLDER.  This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md.
+## Procedures
+
+In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+-   Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory.  See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
+-   Create an Autopilot profile for user-driven mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
+-   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each device that will be deployed using user-driven deployment, these additional steps are needed:
+
+-   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+-   Ensure an Autopilot profile has been assigned to the device:
+    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 

windows/deployment/windows-autopilot/user-driven-hybrid.md

@@ -9,12 +9,31 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ---
 
 
-# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join
+# Windows Autopilot user-driven mode for hybrid Azure Active Directory join
 
 **Applies to: Windows 10**
 
-PLACEHOLDER.  This topic is a placeholder for the AD-specific (hybrid) instuctions.
+Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).  
+
+## Requirements
+
+To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
+
+- Users must be able to join devices to Azure Active Directory.
+- A Windows Autopilot profile for user-driven mode must be created and 
+    - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
+- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
+- The device must be running Windows 10, version 1809 or later.
+- The device must be connected to the Internet and have access to an Active Directory domain controller.
+- The Intune Connector for Active Directory must be installed.
+    - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. 
+
+## Step by step instructions
+
+See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
+
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 

windows/deployment/windows-autopilot/user-driven.md

@@ -8,11 +8,13 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ---
 
+# Windows Autopilot user-driven mode
+
 Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device.  The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
 
 -   Unbox the device, plug it in, and turn it on.
@@ -24,21 +26,12 @@ After completing those simple steps, the remainder of the process is completely
 
 Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory.  Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release.  See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
 
-## Step by step
+## Available user-driven modes
 
-In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+The following options are available for user-driven deployment:
 
--   Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory.  See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
--   Create an Autopilot profile for user-driven mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
--   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
-
-For each machine that will be deployed using user-driven deployment, these additional steps are needed:
-
--   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
--   Ensure an Autopilot profile has been assigned to the device:
-    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
-    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
-    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain.
+- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
 
 ## Validation
 

windows/privacy/TOC.md

@@ -1,6 +1,6 @@
 # [Privacy](index.yml)
 ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
-## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md)
+## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
 ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)

windows/privacy/gdpr-it-guidance.md

@@ -1,5 +1,5 @@
 ---
-title: Windows 10 and the GDPR for IT Decision Makers
+title: Windows and the GDPR-Information for IT Administrators and Decision Makers
 description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
 keywords: privacy, GDPR, windows, IT
 ms.prod: w10
@@ -11,12 +11,17 @@ author: danihalfin
 ms.author: daniha
 ms.date: 05/11/2018
 ---
-# Windows 10 and the GDPR for IT Decision Makers
+# Windows and the GDPR: Information for IT Administrators and Decision Makers
 
 Applies to:
+- Windows 10, version 1809
 - Windows 10, version 1803
 - Windows 10, version 1709
 - Windows 10, version 1703
+- Windows 10 Team Edition, version 1703 for Surface Hub
+- Windows Server 2019
+- Windows Server 2016
+- Windows Analytics
 
 This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
 
@@ -35,7 +40,7 @@ Here are some GDPR fundamentals:
 * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
 * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
 
-Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
+Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
 
 ### What is personal data under the GDPR?
 
@@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv
 A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
 
 Some other examples of Windows functional data:
-* The Weather app which uses the device’s location to retrieve local weather or community news.
+* The Weather app which can use the device’s location to retrieve local weather or community news.
 * Wallpaper and desktop settings that are synchronized across multiple devices.
 
 For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
@@ -100,10 +105,10 @@ Some examples of diagnostic data include:
 * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
 * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
 
-To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
 
 >[!IMPORTANT]
->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers.
+>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
 
 ### Windows services where Microsoft is the processor under the GDPR
 
@@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo
 >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
 
 >[!IMPORTANT]
->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
+>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
 
 #### Windows Defender ATP
 
@@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind
 
 | Service | Microsoft GDPR mode of operation |
 | --- | --- |
-| Windows Functional data | Controller |
+| Windows Functional data | Controller or Processor* |
 | Windows Diagnostic data | Controller |
 | Windows Analytics | Processor |
 | Windows Defender Advanced Threat Detection (ATP) | Processor |
 
 *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
 
-## Recommended diagnostic data level settings
+*/*Depending on which application/feature this is referring to.*
 
-Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
+##  Windows diagnostic data and Windows 10
 
-* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
+
+### Recommended Windows 10 settings
+
+Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
+
+* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
 
 >[!NOTE]
 >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
 * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
 
-* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10.
+>[!NOTE]
+>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
 
-## Controlling the data collection and notification about it
+### Additional information for Windows Analytics
+
+Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
+
+Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
+
+>[!NOTE]
+>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
+).
+
+## Controlling Windows 10 data collection and notification about it
 
 Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
 
@@ -200,10 +221,38 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers
 
 To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
 
-## At-a-glance: the relationship between an IT organization and the GDPR
+### At-a-glance: the relationship between an IT organization and the GDPR
 
 Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
 
+## Windows Server
+
+Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data.
+
+More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
+
+### Windows diagnostic data and Windows Server
+
+The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
+
+IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
+
+### Backups and Windows Server
+
+Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
+
+- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
+- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
+
+## Windows 10 Team Edition, Version 1703 for Surface Hub
+
+Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
+
+>[!NOTE]
+>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
+
+An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
+
 ## Further reading
 
 ### Optional settings / features that further improve the protection of personal data
@@ -215,11 +264,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p
 
 ### Windows Security Baselines
 
-Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
+Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
 
 ### Windows Restricted Traffic Limited Functionality Baseline
 
-To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
+To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
 
 >[!IMPORTANT]
 >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.

windows/privacy/gdpr-win10-whitepaper.md

@@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a
 #### Capabilities to classify, assign permissions and share data
 Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. 
 
-To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
+To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
 
 Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests.
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -18,6 +18,7 @@ ms.date: 06/05/2018
 
 -   Windows 10 Enterprise, version 1607 and newer
 -   Windows Server 2016
+-   Windows Server 2019
 
 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
@@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W
 
 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
 
+## What's new in Windows 10, version 1809 Enterprise edition
+
+Here's a list of changes that were made to this article for Windows 10, version 1809:
+
+- Added a policy to disable Windows Defender SmartScreen
+
 ## What's new in Windows 10, version 1803 Enterprise edition
 
 Here's a list of changes that were made to this article for Windows 10, version 1803:
@@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi
 
 | Setting | UI | Group Policy | MDM policy | Registry | Command line |
 | - | :-: | :-: | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | |
-| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
-| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
@@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi
 | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
 | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
@@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser
 | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) |
 | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | |
 
+### Settings for Windows Server 2019
+
+See the following table for a summary of the management settings for Windows Server 2019.
+
+| Setting | UI | Group Policy | MDM policy | Registry | Command line |
+| - | :-: | :-: | :-: | :-: | :-: |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
+| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |
+|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | |
+|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
+|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) |  |  | |
+| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
+| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
+
 ## How to configure each setting
 
 Use the following sections for more information about how to configure each setting.
@@ -336,9 +401,17 @@ After that, configure the following:
 
 ### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
-To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
+To prevent Windows from retrieving device metadata from the Internet:
 
-You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
+
+    -or -
+
+- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
+
+    -or -
+
+- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork).
 
 ### <a href="" id="find-my-device"></a>5. Find My Device
 
@@ -608,7 +681,7 @@ You can turn off NCSI by doing one of the following:
 
 -   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
 
-- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
+- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1.
 
 > [!NOTE]
 > After you apply this policy, you must restart the device for the policy setting to take effect.
@@ -879,31 +952,13 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
 
     -or-
 
--   In Windows Server 2016, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge** &gt; **Configure SmartScreen Filter**.
-    In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge** &gt; **Configure Windows Defender SmartScreen Filter**.
-
-    In Windows Server 2016, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **File Explorer** &gt; **Configure Windows SmartScreen**.
-    In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **File Explorer** &gt; **Configure Windows Defender SmartScreen**.
-
-    -or-
-
--   Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-
-    -or-
-
 -   Create a provisioning package, using:
-
-    -   For Internet Explorer: **Runtime settings** &gt; **Policies** &gt; **Browser** &gt; **AllowSmartScreen**
-
-    -   For Microsoft Edge: **Runtime settings** &gt; **Policies** &gt; **MicrosoftEdge** &gt; **AllowSmartScreen**
+    - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen**
+    - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen**
 
     -or-
 
--   Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero).
-
-    -or-
-
--   Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero).
 
 To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
 
@@ -1793,6 +1848,36 @@ For Windows 10 only, you can stop Enhanced Notifications:
 
 You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
 
+### <a href="" id="bkmk-defender-smartscreen"></a>23.1 Windows Defender SmartScreen
+
+To disable Windows Defender Smartscreen:
+
+- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable**
+
+  -or-
+
+- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable**
+
+       -and-
+
+- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**
+
+  -or-
+
+- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero).
+
+       -and-
+
+- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1.
+ 
+       -and-
+
+- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**.
+
+  -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
 ### <a href="" id="bkmk-wmp"></a>24. Windows Media Player
 
 To remove Windows Media Player on Windows 10:

windows/privacy/manage-windows-endpoints.md

@@ -147,11 +147,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
 
 The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost        | HTTP     | ctldl.windowsupdate.com | 1709 |
-
-The following endpoints are used to download certificates that are publicly known to be fraudulent.
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
 These settings are critical for both Windows security and the overall security of the Internet. 
 We do not recommend blocking this endpoint.
 If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 4. Type **NDES Servers** in **Enter the object names to select**.  Click **OK**.  Click **OK** on the **Active Directory Domain Services** success dialog.
 
 > [!NOTE]
-> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
 
 ### Create the NDES Service Account
 The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.

windows/security/information-protection/tpm/manage-tpm-lockout.md

@@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m
 
 **TPM 2.0**
 
-TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
+TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
 
 If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607.
 

windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.author: justinha
-ms.date: 06/18/2018
+ms.date: 11/08/2018
 ms.localizationpriority: medium
 ---
 
@@ -24,6 +24,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an
 
 Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
 
+## Video: Protect enterprise data from being accidentally copied to the wrong place
+
+> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh]
+
 ## Prerequisites
 You’ll need this software to run WIP in your enterprise:
 

windows/security/threat-protection/TOC.md

@@ -23,6 +23,7 @@
 ###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
 
 
+
 ##### Alerts queue
 ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -81,76 +82,10 @@
 ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
 
  
+
 #### [Management and APIs](windows-defender-atp/management-apis.md)
 ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-######Machines Security States
-####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-######Machine Groups
-####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-######Windows updates (KB) info
-####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-######Common Vulnerabilities and Exposures (CVE) to KB map
-####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
- 
+##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
 ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
 
 #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
@@ -186,7 +121,7 @@
 ### [Configure and manage capabilities](windows-defender-atp/onboard.md)
 #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
 ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
+###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 ###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
@@ -290,6 +225,157 @@
 ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
    
+##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
+###### Create your app
+####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
+###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
+
+####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
+######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+####### Domain
+######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md)
+######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+####### IP
+######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+####### Machines Security States
+######## [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
+####### Machine Groups
+######## [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
+
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+
+###### How to use APIs - Samples
+####### Advanced Hunting API
+######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md)
+######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md)
+######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md)
+######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
+####### Multiple APIs
+######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md)
+####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md)
+
+##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+#######Actor (deprecated)
+######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#######Alerts (deprecated)
+######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain (deprecated)
+########  [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+#######File(deprecated)
+######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+#######IP (deprecated)
+######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#######Machines (deprecated)
+######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+#######User (deprecated)
+######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+#####Windows updates (KB) info
+###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
+#####Common Vulnerabilities and Exposures (CVE) to KB map
+###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
+ 
+
+
+
+
+
+
+
+
 ##### API for custom alerts
 ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
 ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/index.md

@@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT
 
 <a name="edr"></a>
 
-**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
+**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
 
 - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -1,14 +1,14 @@
 ---
 title: Top scoring in industry antivirus tests
 description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis.
-keywords: security, malware, av-comparatives, av-test, av, antivirus
+keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 09/05/2018
+ms.date: 11/07/2018
 ---
 
 # Top scoring in industry antivirus tests
@@ -18,20 +18,18 @@ ms.date: 09/05/2018
 We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections.
 
 In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is  part of the  [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
-
-> [!TIP]
-> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).
-
 <br></br><br></br>
 ![AV-TEST logo](./images/av-test-logo.png)
 
 ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
+> [!NOTE]
+> [Download our latest analysis: Examining the AV-TEST July-August results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
 
-### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) <sup>**Latest**</sup>
+### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
 
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 9 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware").
+ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware").
 
 ### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) 
 
@@ -47,7 +45,7 @@ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with
 
 |||
 |---|---|
-|![Graph describing Real-World detection rate](./images/RealWorld1.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware1.png)|
+|![Graph describing Real-World detection rate](./images/RealWorld.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware.png)|
 <br></br>
 
 ![AV-Comparatives Logo](./images/av-comparatives-logo-3.png)

windows/security/threat-protection/intelligence/worms-malware.md

@@ -25,7 +25,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have
 
 * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
 
-* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
+* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
 
 Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
 

windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md

@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | Server type or GPO | Default value |
 | - | - |
 | Default Domain Policy | Not defined 
-| Default Domain Controler Policy | Not defined 
+| Default Domain Controller Policy | Not defined 
 | Stand-Alone Server Default Settings | Disabled 
 | DC Effective Default Settings | Disabled 
 | Member Server Effective Default Settings | Disabled 

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -16,6 +16,10 @@
 #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
 
+#### [Incidents queue](incidents-queue.md)
+##### [View and organize the Incidents queue](view-incidents-queue.md)
+##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
+##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
 
 #### [Incidents queue](incidents-queue.md)
 ##### [View and organize the Incidents queue](view-incidents-queue.md)
@@ -84,74 +88,7 @@
 
 ### [Management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-
-#####Domain
-###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
-
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-#####Machines Security States
-###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-#####Machine Groups
-###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-#####Windows updates (KB) info
-###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-#####Common Vulnerabilities and Exposures (CVE) to KB map
-###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
-
- 
+#### [Windows Defender ATP APIs](apis-intro.md)
 #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
 
@@ -288,6 +225,165 @@
 ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+  
+
+#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
+##### Create your app
+###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
+###### [Get access without a user](exposed-apis-create-app-webapp.md)
+##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+###### [Advanced Hunting](run-advanced-query-api.md)
+
+###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
+####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
+####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
+####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
+####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+###### Machines Security States
+####### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
+###### Machine Groups
+####### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
+
+
+###### [User](user-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+##### How to use APIs - Samples
+###### Advanced Hunting API
+####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
+####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+###### Multiple APIs
+####### [PowerShell](exposed-apis-full-sample-powershell.md)
+###### [Using OData Queries](exposed-apis-odata-samples.md)
+
+#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor (deprecated)
+####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts (deprecated)
+####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain (deprecated)
+#######  [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File(deprecated)
+####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP (deprecated)
+####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines (deprecated)
+####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User (deprecated)
+####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 #### API for custom alerts
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,110 @@
+---
+title: Add or Remove Machine Tags API
+description: Use this API to Add or Remove machine tags.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Add or Remove Machine Tags API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Adds or remove tag to a specific machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/tags
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Value |	String |	The tag name. **Required**.
+Action	| Enum |	Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
+
+
+## Response
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
+Content-type: application/json
+{
+  "Value" : "Test Tag",
+  "Action": "Add"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
+    "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+    "computerDnsName": "mymachine55.contoso.com",
+    "firstSeen": "2018-07-31T14:20:55.8223496Z",
+    "lastSeen": "2018-09-27T08:44:05.6228836Z",
+    "osPlatform": "Windows10",
+    "osVersion": null,
+    "lastIpAddress": "10.248.240.38",
+    "lastExternalIpAddress": "167.220.2.166",
+    "agentVersion": "10.3720.16299.98",
+    "osBuild": 16299,
+    "healthStatus": "Active",
+    "isAadJoined": true,
+    "machineTags": [
+        "Test Tag"
+    ],
+    "rbacGroupId": 75,
+    "riskScore": "Medium",
+    "aadDeviceId": null
+}
+
+```
+
+To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md

@@ -113,4 +113,4 @@ To effectively build queries that span multiple tables, you need to understand t
 
 ## Related topic
 - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
-- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,81 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Alert resource type
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Represents an alert entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
+[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
+[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
+[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert.
+[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection |  List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert.
+[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | String | Alert ID
+severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+description | String | Description of the threat, identified by the alert.
+recommendedAction | String | Action recommended for handling the suspected threat.
+alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+title | string | Alert title
+threatFamilyName | string | Threat family
+detectionSource | string | Detection source 
+assignedTo | String | Owner of the alert
+classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
+machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
+
+# JSON representation
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "636688558380765161_2136280442",
+    "severity": "Informational",
+    "status": "InProgress",
+    "description": "Some alert description 1",
+    "recommendedAction": "Some recommended action 1",
+    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+    "category": "General",
+    "title": "Some alert title 1",
+    "threatFamilyName": null,
+    "detectionSource": "WindowsDefenderAtp",
+    "classification": "TruePositive",
+    "determination": null,
+    "assignedTo": "best secop ever",
+    "resolvedTime": null,
+    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+    "actorName": null,
+    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+```

windows/security/threat-protection/windows-defender-atp/apis-intro.md

@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection API overview  
+description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Windows Defender ATP API overview
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+
+As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+
+## Delegated permissions, application permissions, and effective permissions
+
+Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+
+- **Delegated permissions** <br> 
+    Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
+- **Application permissions** <br>
+    Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+
+Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+
+- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
+
+	For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+
+- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/13/2018
+ms.date: 11/09/2018
 ---
 
 # Use basic permissions to access the portal
@@ -79,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te
 
 6.	Select **Manage** > **Directory role**.
 
-7.	Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+7.	Select **Add role** and choose the role you'd like to assign, then click **Select**.
 
-    ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
+
+    ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png)
 
 ## Related topic
 - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Block file API
+# Block file API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Prevent a file from being executed in the organization using Windows Defender Antivirus.

windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Collect investigation package API
+description: Use this API to create calls related to the collecting an investigation package from a machine.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Collect investigation package API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Collect investigation package from a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+Content-type: application/json
+{
+  "Comment": "Collect forensics due to alert 1234"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+    "type": "CollectInvestigationPackage",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": " Collect forensics due to alert 1234",
+    "status": "InProgress",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+	"relatedFileInfo": null
+}
+
+```

windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Collect investigation package API
+# Collect investigation package API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Collect investigation package from a machine.
 

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,93 @@
+---
+title: Create alert from event API
+description: Creates an alert using event details
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Create alert from event API 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+## Request body
+In the request body, supply the following values (all are required):
+
+Property | Type | Description
+:---|:---|:---
+machineId | String | Id of the machine on which the event was identified. **Required**.
+severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
+title | String | Title for the alert. **Required**.
+description | String | Description of the alert. **Required**.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
+reportId | String | The reportId, as obtained from the advanced query. **Required**.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+
+
+## Response
+If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+Content-Length: application/json
+
+{
+  "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+  "severity": "Low",
+  "title": "test alert",
+  "description": "redalert",
+  "recommendedAction": "white alert",
+  "eventTime": "2018-08-03T16:45:21.7115183Z",
+  "reportId": "20776",
+  "category": "None"
+} 
+```

windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -187,7 +187,6 @@ The API currently supports the following IOC types:
 - Sha1
 - Sha256
 - Md5
-- FileName
 - IpAddress
 - DomainName 
 

windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,77 @@
+---
+title: Delete Ti Indicator.
+description: Deletes Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, delete, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Delete TI Indicator API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If TI Indicator exist and deleted successfully - 204 OK without content.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 204 NO CONTENT
+
+```

windows/security/threat-protection/windows-defender-atp/deprecate.md

@@ -0,0 +1,7 @@
+---
+ms.date: 10/17/2018
+---
+>[!WARNING]
+
+
+> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md).

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -0,0 +1,175 @@
+---
+title: Use Windows Defender Advanced Threat Protection APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Use Windows Defender ATP APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+
+If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+
+If you are not sure which access you need, read the [Introduction page](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+>[!NOTE]
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). 
+
+>[!TIP]
+> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/nativeapp-create.png)
+
+    - **Name:** -Your app name-
+    - **Application type:** Native
+    - **Redirect URI:** `https://127.0.0.1`
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/nativeapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+	
+	>[!IMPORTANT]
+    >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
+
+    ![Image of select permissions](images/nativeapp-select-permissions.png)
+
+	For instance,
+
+    - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+    - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+       To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/nativeapp-add-permissions-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Write down your application ID.
+    
+	![Image of app ID](images/nativeapp-get-appid.png)
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+The  code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (pay attention to the comments in the code)
+
+	```
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+
+	string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
+	string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! 
+
+	UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'scp' claim with the desired app permissions
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
+
+![Image of token validation](images/nativeapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md

@@ -0,0 +1,220 @@
+---
+title: Create an app to access Windows Defender ATP without a user
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Create an app to access Windows Defender ATP without a user
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+
+If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+
+If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/webapp-create.png)
+
+    - **Name:** WdatpEcosystemPartner
+    - **Application type:** Web app / API
+    - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/webapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > **Run advanced queries** > **Select**.
+	
+	**Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
+
+    ![Image of select permissions](images/webapp-select-permission.png)
+
+	For instance,
+
+	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+	- To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/webapp-add-permission-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Click **Keys** and type a key name and click **Save**.
+
+	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
+
+    ![Image of create app key](images/webapp-create-key.png)
+
+10. Write down your application ID.
+    
+	![Image of app ID](images/webapp-get-appid.png)
+
+11. Set your application to be multi-tenanted
+	
+	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
+
+	This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​
+
+	Click **Properties** > **Yes** > **Save**.
+
+	![Image of multi tenant](images/webapp-edit-multitenant.png)
+
+
+## Application consent
+You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+
+You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+
+Consent link is of the form: 
+
+```
+https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
+```
+
+where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+
+	```
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+	string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
+
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+	ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+### Using PowerShell 
+
+Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
+
+### Using Python
+
+Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+
+### Using Curl
+
+> [!NOTE]
+> The below procedure supposed Curl for Windows is already installed on your computer
+
+- Open a command window
+- ​Set CLIENT_ID to your Azure application ID
+- Set CLIENT_SECRET to your Azure application secret
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Run the below command:
+
+```
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​
+```
+
+You will get an answer of the form:
+
+```
+{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
+```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'roles' claim with the desired permissions
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+
+![Image of token validation](images/webapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md

@@ -0,0 +1,118 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Windows Defender ATP APIs using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Full scenario using multiple APIs from Windows Defender ATP.
+
+In this section we share PowerShell samples to 
+ - Retrieve a token 
+ - Use token to retrieve the latest alerts in Windows Defender ATP
+ - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Preparation Instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the below
+
+> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appSecret: Secret of your AAD app
+> - $suspiciousUrl: The URL
+
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
+
+$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+	resource = "$resourceAppIdUri"
+	client_id = "$appId"
+	client_secret = "$appSecret"
+	grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$aadToken = $authResponse.access_token
+
+
+#Get latest alert
+$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
+$headers = @{ 
+	'Content-Type' = 'application/json'
+	Accept = 'application/json'
+	Authorization = "Bearer $aadToken" 
+}
+$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
+$alerts =  ($alertResponse | ConvertFrom-Json).value
+
+$machinesToInvestigate = New-Object System.Collections.ArrayList
+
+Foreach($alert in $alerts)
+{
+	#echo $alert.id	$alert.machineId	$alert.severity	$alert.status
+
+	$isSevereAlert = $alert.severity -in 'Medium', 'High'
+	$isOpenAlert = $alert.status -in 'InProgress', 'New'
+	if($isOpenAlert -and $isSevereAlert)
+	{
+		if (-not $machinesToInvestigate.Contains($alert.machineId))
+		{
+			$machinesToInvestigate.Add($alert.machineId) > $null
+		}
+	}
+}
+
+$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
+
+$query = "NetworkCommunicationEvents
+| where MachineId in ($commaSeparatedMachines)
+| where RemoteUrl  == `"$suspiciousUrl`"
+| summarize ConnectionsCount = count() by MachineId"
+
+$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+
+$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
+$response =  ($queryResponse | ConvertFrom-Json).Results
+$response
+
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md

@@ -0,0 +1,58 @@
+---
+title: Supported Windows Defender Advanced Threat Protection query APIs  
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. 
+keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Supported Windows Defender ATP query APIs 
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) 
+
+## End Point URI and Versioning
+
+### End Point URI:
+
+> The service base URI is: https://api.securitycenter.windows.com
+
+> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts
+
+### Versioning:
+
+> The API supports versioning.
+
+> The current version is **V1.0**.
+
+> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
+
+> If you don't specify any version ( without /v1.0/ ) you will get to the latest version.
+
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Advanced Hunting | Run queries from API.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -0,0 +1,188 @@
+---
+title: OData queries with Windows Defender ATP
+description: OData queries with Windows Defender ATP
+keywords: apis, supported apis, odata, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# OData queries with Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+> If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/)
+
+> ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.**
+> ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.**
+
+### Example 1
+
+**Get all the machines with 'High' 'RiskScore'**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "e3a77eeddb83d581238792387b1239b01286b2f",
+            "computerDnsName": "examples.dev.corp.microsoft.com",
+            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "lastSeen": "2018-11-12T10:27:08.708723Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "123.123.10.33",
+            "lastExternalIpAddress": "124.124.160.172",
+            "agentVersion": "10.6300.18279.1001",
+            "osBuild": 18279,
+            "healthStatus": "ImpairedCommunication",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 5,
+            "rbacGroupName": "North",
+            "riskScore": "High",
+            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 2
+
+**Get top 100 machines with 'HealthStatus' not equals to 'Active'**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1113333ddb83d581238792387b1239b01286b2f",
+            "computerDnsName": "examples.dev.corp.microsoft.com",
+            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "lastSeen": "2018-11-12T10:27:08.708723Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "123.123.10.33",
+            "lastExternalIpAddress": "124.124.160.172",
+            "agentVersion": "10.6300.18279.1001",
+            "osBuild": 18279,
+            "healthStatus": "ImpairedCommunication",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 5,
+            "rbacGroupName": "North",
+            "riskScore": "Medium",
+            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 3
+
+**Get all the machines that last seen after 2018-10-20**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "83113465ffceca4a731234e5dcde3357e026e873",
+            "computerDnsName": "examples-vm10",
+            "firstSeen": "2018-11-12T16:07:50.1706168Z",
+            "lastSeen": "2018-11-12T16:07:50.1706168Z",
+            "osPlatform": "WindowsServer2019",
+            "osVersion": null,
+            "lastIpAddress": "10.123.72.35",
+            "lastExternalIpAddress": "123.220.2.3",
+            "agentVersion": "10.6300.18281.1000",
+            "osBuild": 18281,
+            "healthStatus": "Active",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 4,
+            "rbacGroupName": "East",
+            "riskScore": "None",
+            "aadDeviceId": null
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 4
+
+**Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@examples.onmicrosoft.com",
+            "requestorComment": "1533",
+            "status": "Succeeded",
+            "machineId": "123321c10e44a82877af76b1d0161a17843f688a",
+            "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
+            "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
+            "relatedFileInfo": null
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md

@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 ms.date: 10/23/2017
 ---
 
-# Use the Windows Defender ATP exposed APIs 
+# Use the Windows Defender ATP exposed APIs (deprecated)
 
 **Applies to:**
 

windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,49 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# File resource type
+
+[!include[Prerelease information](prerelease.md)]
+
+Represent a file entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file 
+[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file.
+[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert.
+[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file.
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+sha1 | String | Sha1 hash of the file content
+sha256 | String | Sha256 hash of the file content
+md5 | String | md5 hash of the file content
+globalPrevalence | Integer | File prevalence accross organization
+globalFirstObserved | DateTimeOffset | First time the file was observed.
+globalLastObserved | DateTimeOffset | Last time the file was observed.
+size | Integer | Size of the file.
+fileType | String | Type of the file. 
+isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
+filePublisher | String | File publisher.
+fileProductName | String | Product name.
+signer | String | File signer.
+issuer | String | File issuer.
+signerHash | String | Hash of the signing certificate.
+isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,88 @@
+---
+title: Find machine information by internal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
+keywords: ip, apis, graph api, supported apis, find machine, machine information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/25/2018
+---
+
+# Find machine information by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+Find a machine by internal IP.
+
+>[!NOTE]
+>The timestamp must be within the last 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+
+## HTTP request
+```
+GET /api/machines/find(timestamp={time},key={IP})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. 
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+            "computerDnsName": "",
+            "firstSeen": "2017-07-06T01:25:04.9480498Z",
+            "osPlatform": "Windows10",
+…
+}
+```

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 
-# Find machine information by internal IP API
+# Find machine information by internal IP API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 Find a machine entity around a specific timestamp by internal IP.
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Find machines by internal IP API
+description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Find machines by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+- The given timestamp must be in the past 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines were found - 200 OK with list of the machines in the response body.
+If no machine found  - 404 Not Found.
+If the timestamp is not in the past 30 days - 400 Bad Request.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+            "computerDnsName": "mymachine33.contoso.com",
+            "firstSeen": "2018-07-31T14:20:55.8223496Z",
+            "lastSeen": null,
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "lastIpAddress": "10.248.240.38",
+            "lastExternalIpAddress": "167.220.2.166",
+            "agentVersion": "10.3720.16299.98",
+            "osBuild": 16299,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "Medium",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md

@@ -15,12 +15,13 @@ ms.date: 12/08/2017
 ---
 
 
-# Get actor information API
+# Get actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves an actor information report. 

windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get actor related alerts API
+# Get actor related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all alerts related to a given actor.

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert information by ID API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves an alert by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "636688558380765161_2136280442",
+    "severity": "Informational",
+    "status": "InProgress",
+    "description": "Some alert description 1",
+    "recommendedAction": "Some recommended action 1",
+    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+    "category": "General",
+    "title": "Some alert title 1",
+    "threatFamilyName": null,
+    "detectionSource": "WindowsDefenderAtp",
+    "classification": "TruePositive",
+    "determination": null,
+    "assignedTo": "best secop ever",
+    "resolvedTime": null,
+    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+    "actorName": null,
+    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert information by ID API
+# Get alert information by ID API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves an alert by its ID.

windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related actor information API
+# Get alert related actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves the actor information related to the specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,87 @@
+---
+title: Get alert related domains information 
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related domain information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves all domains related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/domains
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK.
+If alert not found or domain not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
+    "value": [
+        {
+            "host": "www.example.com"
+        }
+    ]
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,16 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related domain information API
+# Get alert related domain information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated information](deprecate.md)]
+
+
 
 Retrieves all domains related to a specific alert.
 

windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,100 @@
+---
+title: Get alert related files information 
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related files information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves all files related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All |	'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/files
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK.
+If alert not found or files not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
+    "value": [
+        {
+            "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
+            "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
+            "md5": "82849dc81d94056224445ea73dc6153a",
+            "globalPrevalence": 33,
+            "globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
+            "globalLastObserved": "2018-08-06T16:07:12.9414137Z",
+            "windowsDefenderAVThreatName": null,
+            "size": 801112,
+            "fileType": "PortableExecutable",
+            "isPeFile": true,
+            "filePublisher": null,
+            "fileProductName": null,
+            "signer": "Microsoft Windows",
+            "issuer": "Microsoft Development PCA 2014",
+            "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
+            "isValidCertificate": true
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related files information API
+# Get alert related files information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all files related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,89 @@
+---
+title: Get alert related IPs information 
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related IP information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/ips
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",    
+	"value": [
+				{
+					"id": "104.80.104.128"
+				},
+				{
+					"id": "23.203.232.228	
+				}
+	]
+}
+ 
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related IP information API
+# Get alert related IP information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all IPs related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,99 @@
+---
+title: Get alert related machine information 
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related machine information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves machine that is related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine information'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/machine
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK.
+If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
+    "id": "ff0c3800ed8d66738a514971cd6867166809369f",
+    "computerDnsName": "amazingmachine.contoso.com",
+    "firstSeen": "2017-12-10T07:47:34.4269783Z",
+	"lastSeen": "2017-12-10T07:47:34.4269783Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+    "systemProductName": null,
+    "lastIpAddress": "172.17.0.0",
+    "lastExternalIpAddress": "167.220.0.0",
+    "agentVersion": "10.5830.17732.1001",
+    "osBuild": 17732,
+    "healthStatus": "Active",
+    "isAadJoined": true,
+    "machineTags": [],
+    "rbacGroupId": 75,
+    "riskScore": "Low",
+    "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related machine information API
+# Get alert related machine information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all machines related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,91 @@
+---
+title: Get alert related user information 
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related user information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves the user associated to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/user
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK with user in the body.
+If alert not found or user not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+    "id": "contoso\\user1",
+    "firstSeen": "2018-08-02T00:00:00Z",
+    "lastSeen": "2018-08-04T00:00:00Z",
+    "mostPrevalentMachineId": null,
+    "leastPrevalentMachineId": null,
+    "logonTypes": "Network",
+    "logOnMachinesCount": 3,
+    "isDomainAdmin": false,
+    "isOnlyNetworkUser": null
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related user information API
+# Get alert related user information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves the user associated to a specific alert.
 

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,130 @@
+---
+title: List alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves top recent alerts.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts
+```
+
+## Optional query parameters
+Method supports $skip and $top query parameters.
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 1",
+            "recommendedAction": "Some recommended action 1",
+            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 1",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+        },
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 2",
+            "recommendedAction": "Some recommended action 2",
+            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 2",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+        }
+	]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alerts API
+# Get alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves top recent alerts.

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,129 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 1",
+            "recommendedAction": "Some recommended action 1",
+            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 1",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+        },
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 2",
+            "recommendedAction": "Some recommended action 2",
+            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 2",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+        }
+	]
+}
+```
+

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,15 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related alerts API
+# Get domain related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated information](deprecate.md)]
+
 
 Retrieves a collection of alerts related to a given domain address.
 

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,122 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of machines that have communicated to or from a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
+            "computerDnsName": "testMachine1",
+            "firstSeen": "2018-07-30T20:12:00.3708661Z",
+			"lastSeen": "2018-07-30T20:12:00.3708661Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "10.209.67.177",
+            "lastExternalIpAddress": "167.220.1.210",
+            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18208,
+            "healthStatus": "Inactive",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
+            "computerDnsName": "testMachine2",
+            "firstSeen": "2018-07-30T19:50:47.3618349Z",
+			"lastSeen": "2018-07-30T19:50:47.3618349Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "10.209.70.231",
+            "lastExternalIpAddress": "167.220.0.28",
+            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18208,
+            "healthStatus": "Inactive",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "None",
+            "aadDeviceId": null
+        }    
+	]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related machines API
+# Get domain related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of machines related to a given domain address.

windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,84 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain statistics API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves the prevalence for the given domain.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK, with statistics object in the response body.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+	"host": "example.com",
+    "orgPrevalence": "4070",
+    "orgFirstSeen": "2017-07-30T13:23:48Z",
+    "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```

windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain statistics API
+# Get domain statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves the prevalence for the given domain.

windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file information API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read all file profiles'
+Delegated (work or school account) | File.Read.All |	'Read all file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/files/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If file does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
+    "md5": "7f05a371d2beffb3784fd2199f81d730",
+    "globalPrevalence": 7329,
+    "globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
+    "globalLastObserved": "2018-08-07T23:35:11.1361328Z",
+    "windowsDefenderAVThreatName": null,
+    "size": 391680,
+    "fileType": "PortableExecutable",
+    "isPeFile": true,
+    "filePublisher": null,
+    "fileProductName": null,
+    "signer": null,
+    "issuer": null,
+    "signerHash": null,
+    "isValidCertificate": null
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file information API
+# Get file information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a file by identifier Sha1, Sha256, or MD5.

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,107 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If file or alerts do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636692391408655573_2010598859",
+            "severity": "Low",
+            "status": "New",
+            "description": "test alert",
+            "recommendedAction": "do this and that",
+            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+            "category": "None",
+            "title": "test alert",
+            "threatFamilyName": null,
+            "detectionSource": "CustomerTI",
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+            "actorName": null,
+            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related alerts API
+# Get file related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given file hash.
 

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,123 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related machines API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If file or machines do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related machines API
+# Get file related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of machines related to a given file hash.
 

windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,93 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+
+
+Retrieves the prevalence for the given file.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All | 'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with statistical data in the body.
+If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "orgPrevalence": "3",
+    "orgFirstSeen": "2018-07-15T06:13:59Z",
+    "orgLastSeen": "2018-08-03T16:45:21Z",
+    "topFileNames": [
+        "chrome_1.exe",
+		"chrome_2.exe"
+    ]
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file statistics API
+# Get file statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves the prevalence for the given file.
 

windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileActions collection API
+# Get FileActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
 

windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineAction object API
+# Get FileMachineAction object API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Gets file and machine actions.
 

windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineActions collection API
+# Get FileMachineActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
 

windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,106 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If IP and alerts do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636692391408655573_2010598859",
+            "severity": "Low",
+            "status": "New",
+            "description": "test alert",
+            "recommendedAction": "do this and that",
+            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+            "category": "None",
+            "title": "test alert",
+            "threatFamilyName": null,
+            "detectionSource": "CustomerTI",
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+            "actorName": null,
+            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+        }
+    ]
+}
+```