\
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge Legacy as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge Legacy running in assigned access
- **1** - InPrivate public browsing with other apps
 | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,  | Configure how the Home Button behaves. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton **Data type:** Integer **Allowed values:**  | If you set ConfigureHomeButton to 2, configure the home button URL. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**  | Set a custom URL for the New Tab page. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.msn.com |
**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 576a1de28f..a796135a6b 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -39,7 +39,16 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Internet Explorer"
+ "titleSuffix": "Internet Explorer",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"externalReference": [],
"template": "op.html",
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 5228341de6..6d55b1a859 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -45,7 +45,16 @@
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/gdpr/docfx.json b/gdpr/docfx.json
index 2fd5e0e9f9..9b8ee64f65 100644
--- a/gdpr/docfx.json
+++ b/gdpr/docfx.json
@@ -34,7 +34,16 @@
"ms.author": "lizross",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app"
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index bdfb8ea979..797c283b19 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -3,7 +3,6 @@
## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md)
### [Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md)
-### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md)
### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md)
### [Settings reference: Microsoft Store for Business and Education](settings-reference-microsoft-store-for-business.md)
## [Find and acquire apps](find-and-acquire-apps-overview.md)
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 3989e6d860..3cec119295 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -5,16 +5,20 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
-ms.date: 10/23/2018
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.reviewer:
-manager: dansimp
ms.topic: conceptual
ms.localizationpriority: medium
+ms.date: 03/10/2021
---
# Acquire apps in Microsoft Store for Business and Education
+
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping.
## App licensing model
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index c57643bd16..fca2e9d796 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -3,16 +3,16 @@ title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 03/10/2021
---
# Add unsigned app to code integrity policy
@@ -99,7 +99,7 @@ After you're done, the files are saved to your desktop. You still need to sign t
## Catalog signing with Device Guard signing portal
-To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. For more information, see [Sign up for the Microsoft Store for Business](sign-up-microsoft-store-for-business.md).
+To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business.
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 82518ed170..dbee2e62f1 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,17 +2,9 @@
-## Week of January 25, 2021
+## Week of March 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
-| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
-
-
-## Week of January 11, 2021
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified |
+| 3/17/2021 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 9ec42cc879..ff6016354d 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -2,21 +2,20 @@
title: Microsoft Store for Business and Education (Windows 10)
description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: high
-ms.date: 05/14/2020
+ms.date: 03/10/2021
---
# Microsoft Store for Business and Education
-
**Applies to**
- Windows 10
@@ -24,6 +23,11 @@ ms.date: 05/14/2020
Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
+> [!IMPORTANT]
+> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you’ve already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won’t be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of “free” will still be available. This change doesn’t impact apps in the Microsoft Store on Windows 10.
+>
+> Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
+
## In this section
| Topic | Description |
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 59be6fdc1c..69f8d80a62 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -3,16 +3,16 @@ title: Microsoft Store for Business and Microsoft Store for Education overview (
description: With Microsoft Store for Business and Microsoft Store for Education, organizations and schools can make volume purchases of Windows apps.
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date:
+ms.date: 03/10/2021
---
# Microsoft Store for Business and Microsoft Store for Education overview
@@ -22,6 +22,9 @@ ms.date:
- Windows 10
- Windows 10 Mobile
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
> [!IMPORTANT]
@@ -80,8 +83,6 @@ While not required, you can use a management tool to distribute and manage apps.
The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
-For more information, see [Sign up for Store for Business and Education](sign-up-microsoft-store-for-business.md).
-
## Set up
After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 0dc7ab9ece..46b104c6f6 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -3,16 +3,16 @@ title: Prerequisites for Microsoft Store for Business and Education (Windows 10)
description: There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education.
ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date:
+ms.date: 03/10/2021
---
# Prerequisites for Microsoft Store for Business and Education
@@ -22,6 +22,9 @@ ms.date:
- Windows 10
- Windows 10 Mobile
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
> [!IMPORTANT]
> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 2163e6379a..5bab3cb32a 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -4,19 +4,28 @@ description: The first person to sign in to Microsoft Store for Business or Micr
keywords: roles, permissions
ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 03/16/2021
---
# Roles and permissions in Microsoft Store for Business and Education
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
@@ -27,62 +36,65 @@ This table lists the global user accounts and the permissions they have in Micro
| | Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
-| Sign up for Microsoft Store for Business and Education | X |
-| Modify company profile settings | X | |
-| Purchase apps | X | X |
+| Sign up for Microsoft Store for Business and Education | X | X |
+| Modify company profile settings | X | X |
+| Purchase apps | X | X |
| Distribute apps | X | X |
| Purchase subscription-based software | X | X |
-
-**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
+- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
-**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
+## Microsoft Store roles and permissions
-## Billing account roles and permissions
-There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
This table lists the roles and their permissions.
-| Role | Buy from https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata The root node for the CleanPC configuration service provider. {7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA} Ethernet 10Mbps Ethernet 10 Mbps {97D3D1B3-854A-4C32-BD1C-C13069078370} Ethernet 100Mbps Ethernet 100 Mbps {A8F4FE66-8D04-43F5-9DD2-2A85BD21029B} Yes nocharacteristic uncharacteristic Yes characteristic-query Yes Recursive query: Yes Top level query: Yes Top-level query: Yes The root node for the DeveloperSetup configuration service provider.
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 3bf0368ffd..99d2930eff 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device.
+description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@@ -15,14 +15,21 @@ ms.date: 11/01/2017
# DeviceManageability CSP
-The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
+The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
-For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
-
-The following diagram shows the DeviceManageability configuration service provider in a tree format.
-
-
+For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
+The following shows the DeviceManageability configuration service provider in a tree format.
+```
+./Device/Vendor/MSFT
+DeviceManageability
+----Capabilities
+--------CSPVersions
+----Provider (Added in Windows 10, version 1709)
+--------ProviderID (Added in Windows 10, version 1709)
+------------ConfigInfo (Added in Windows 10, version 1709)
+------------EnrollmentInfo (Added in Windows 10, version 1709)
+```
**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 6ab35ba018..826af867cb 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -17,10 +17,52 @@ ms.date: 04/30/2019
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
-The following image shows the DeviceStatus configuration service provider in tree format.
-
-
-
+The following shows the DeviceStatus configuration service provider in tree format.
+```
+./Vendor/MSFT
+DeviceStatus
+----SecureBootState
+----CellularIdentities
+--------IMEI
+------------IMSI
+------------ICCID
+------------PhoneNumber
+------------CommercializationOperator
+------------RoamingStatus
+------------RoamingCompliance
+----NetworkIdentifiers
+--------MacAddress
+------------IPAddressV4
+------------IPAddressV6
+------------IsConnected
+------------Type
+----Compliance
+--------EncryptionCompliance
+----TPM
+--------SpecificationVersion
+----OS
+--------Edition
+--------Mode
+----Antivirus
+--------SignatureStatus
+--------Status
+----Antispyware
+--------SignatureStatus
+--------Status
+----Firewall
+--------Status
+----UAC
+--------Status
+----Battery
+--------Status
+--------EstimatedChargeRemaining
+--------EstimatedRuntime
+----DomainName
+----DeviceGuard
+--------VirtualizationBasedSecurityHwReq
+--------VirtualizationBasedSecurityStatus
+--------LsaCfgCredGuardStatus
+```
**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index ba02947ada..e9c0979c67 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -17,16 +17,23 @@ ms.date: 06/26/2017
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
-
-
-
+The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
+```
+.
+DevInfo
+----DevId
+----Man
+----Mod
+----DmV
+----Lang
+```
**DevId**
Required. Returns an application-specific global unique device identifier by default.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index db52ac149a..28c2b08822 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
1. At the bottom of the **Settings** page, click **Create report**.
- 
+ 
1. A window opens that shows the path to the log files. Click **Export**.
- 
+ 
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@@ -112,8 +112,8 @@ Example: Export the Debug logs
```
-## Collect logs from Windows 10 Mobile devices
-
+
+
-## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices
+## Collect logs remotely from Windows 10 Holographic
-For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
+For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
@@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
- 
+ 
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
- 
+ 
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
- 
+ 
7. Now you are ready to start reviewing the logs.
- 
+ 
## Collect device state data
@@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia
```
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index fb9c1a57d8..99f4ef73c5 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
-The following diagram shows the DiagnosticLog CSP in tree format.
-
-
+The following shows the DiagnosticLog CSP in tree format.
+```
+./Vendor/MSFT
+DiagnosticLog
+----EtwLog
+--------Collectors
+------------CollectorName
+----------------TraceStatus
+----------------TraceLogFileMode
+----------------TraceControl
+----------------LogFileSizeLimitMB
+----------------Providers
+--------------------ProviderGuid
+------------------------Keywords
+------------------------TraceLevel
+------------------------State
+--------Channels
+------------ChannelName
+----------------Export
+----------------State
+----------------Filter
+----DeviceStateData
+--------MdmConfiguration
+----FileDownload
+--------DMChannel
+------------FileContext
+----------------BlockSizeKB
+----------------BlockCount
+----------------BlockIndexToRead
+----------------BlockData
+----------------DataBlocks
+--------------------BlockNumber
+```
**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog CSP.
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 4a45bf4eb2..e7e340552c 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -23,10 +23,46 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve
For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
-
+The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+```
+./SyncML
+DMAcc
+----*
+--------AppID
+--------ServerID
+--------Name
+--------PrefConRef
+--------AppAddr
+------------*
+----------------Addr
+----------------AddrType
+----------------Port
+--------------------*
+------------------------PortNbr
+--------AAuthPref
+--------AppAuth
+------------*
+----------------AAuthLevel
+----------------AAuthType
+----------------AAuthName
+----------------AAuthSecret
+----------------AAuthData
+--------Ext
+------------Microsoft
+----------------Role
+----------------ProtoVer
+----------------DefaultEncoding
+----------------UseHwDevID
+----------------ConnRetryFreq
+----------------InitialBackOffTime
+----------------MaxBackOffTime
+----------------BackCompatRetryDisabled
+----------------UseNonceResync
+----------------CRLCheck
+----------------DisableOnRoaming
+----------------SSLCLIENTCERTSEARCHCRITERIA
+```
**DMAcc**
Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 6ed30e55f1..1f764db2bb 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -17,11 +17,50 @@ ms.date: 11/01/2017
The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
-The following diagram shows the DMClient CSP in tree format.
-
-
-
-
+The following shows the DMClient CSP in tree format.
+```
+./Vendor/MSFT
+DMClient
+----Provider
+--------
+------------EntDeviceName
+------------ExchangeID
+------------EntDMID
+------------SignedEntDMID
+------------CertRenewTimeStamp
+------------PublisherDeviceID
+------------ManagementServiceAddress
+------------UPN
+------------HelpPhoneNumber
+------------HelpWebsite
+------------HelpEmailAddress
+------------RequireMessageSigning
+------------SyncApplicationVersion
+------------MaxSyncApplicationVersion
+------------Unenroll
+------------AADResourceID
+------------AADDeviceID
+------------EnrollmentType
+------------EnableOmaDmKeepAliveMessage
+------------HWDevID
+------------ManagementServerAddressList
+------------CommercialID
+------------Push
+----------------PFN
+----------------ChannelURI
+----------------Status
+------------Poll
+----------------IntervalForFirstSetOfRetries
+----------------NumberOfFirstRetries
+----------------IntervalForSecondSetOfRetries
+----------------NumberOfSecondRetries
+----------------IntervalForRemainingScheduledRetries
+----------------NumberOfRemainingScheduledRetries
+----------------PollOnLogin
+----------------AllUsersPollOnFirstLogin
+----Unenroll
+----UpdateManagementServiceAddress
+```
**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index 65aeb1a961..8c5772b29c 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions CSP
-description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
+description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -16,20 +16,57 @@ manager: dansimp
The DMSessionActions configuration service provider (CSP) is used to manage:
-- the number of sessions the client skips if the device is in a low power state
+- the number of sessions the client skips if the device is in a low-power state
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
-The following diagram shows the DMSessionActions configuration service provider in tree format.
+The following shows the DMSessionActions configuration service provider in tree format.
+```
+./User/Vendor/MSFT
+DMSessionActions
+----ProviderID
+--------CheckinAlertConfiguration
+------------Nodes
+----------------NodeID
+--------------------NodeURI
+--------AlertData
+--------PowerSettings
+------------MaxSkippedSessionsInLowPowerState
+------------MaxTimeSessionsSkippedInLowPowerState
-
+./Device/Vendor/MSFT
+DMSessionActions
+----ProviderID
+--------CheckinAlertConfiguration
+------------Nodes
+----------------NodeID
+--------------------NodeURI
+--------AlertData
+--------PowerSettings
+------------MaxSkippedSessionsInLowPowerState
+------------MaxTimeSessionsSkippedInLowPowerState
+
+
+./User/Vendor/MSFT
+./Device/Vendor/MSFT
+DMSessionActions
+----ProviderID
+--------CheckinAlertConfiguration
+------------Nodes
+----------------NodeID
+--------------------NodeURI
+--------AlertData
+--------PowerSettings
+------------MaxSkippedSessionsInLowPowerState
+------------MaxTimeSessionsSkippedInLowPowerState
+```
**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
Defines the root node for the DMSessionActions configuration service provider. Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache. Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. Scope is dynamic. Supported operations are Get, Add, and Delete. Value type is string. Supported operation is Get. Node for power related configrations Node for power-related configrations Maximum number of continuous skipped sync sessions when the device is in low power state. Maximum number of continuous skipped sync sessions when the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state. Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. The root node for the DynamicManagement configuration service provider. Supported operation is Get. Node created by the server to define a context. Maximum amount of characters allowed is 38. Node created by the server to define a context. Maximum number of characters allowed is 38. Supported operations are Add, Get, and Delete. Value type is string. Supported operations are Add, Get, Delete, and Replace. Response from applying a Settings Pack that contains information on each individual action.. Response from applying a Settings Pack that contains information on each individual action. Value type is string. Supported operation is Get. Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.. Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed. Value type is integer. Supported operation is Get. A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.. A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities. Value type is integer. Supported operations are Add, Get, Delete, and Replace. The root node for the EnterpriseAPN configuration service provider. Root node for the EnterpriseAppVManagement configuration service provider. Root node for the Firewall configuration service provider. The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. The following list of transactions are performed in one DHA-Session: The following list of transactions is performed in one DHA-Session: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. The following list of operations are performed by DHA-Enabled-MDM: The following list of operations is performed by DHA-Enabled-MDM The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. The following list of operations are performed by DHA-CSP: The following list of operations is performed by DHA-CSP: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. The following list of operations are performed by DHA-Service: The following list of operations is performed by DHA-Service: Accessible to all enterprise managed devices via following: Accessible to all enterprise-managed devices via following: (DHA-EMC) DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure. (DHA-EMC) DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. Accessible to all enterprise managed devices via following: Accessible to all enterprise-managed devices via following: The root node for the device HealthAttestation configuration service provider. The root node for the Surface Hub configuration service provider.
-**DeviceAccount**
+**DeviceAccount**
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
To use a device account from Azure Active Directory
-1. Set the UserPrincipalName (for Azure AD).
-2. Set a valid Password.
-3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD.
-4. Get the ErrorContext in case something goes wrong during validation.
+1. Set the UserPrincipalName (for Azure AD).
+2. Set a valid Password.
+3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD.
+4. Get the ErrorContext in case something goes wrong during validation.
> [!NOTE]
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
-
+
Here's a SyncML example.
```xml
@@ -89,67 +89,72 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
To use a device account from Active Directory
-1. Set the DomainName.
-2. Set the UserName.
-3. Set a valid Password.
-4. Execute the ValidateAndCommit node.
+1. Set the DomainName.
+2. Set the UserName.
+3. Set a valid Password.
+4. Execute the ValidateAndCommit node.
-**DeviceAccount/DomainName**
+**DeviceAccount/DomainName**
Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/UserName**
+**DeviceAccount/UserName**
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/UserPrincipalName**
+**DeviceAccount/UserPrincipalName**
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/SipAddress**
+**DeviceAccount/SipAddress**
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/Password**
+**DeviceAccount/Password**
Password for the device account.
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
-**DeviceAccount/ValidateAndCommit**
+**DeviceAccount/ValidateAndCommit**
This method validates the data provided and then commits the changes.
The data type is string. Supported operation is Execute.
-**DeviceAccount/Email**
+**DeviceAccount/Email**
Email address of the device account.
The data type is string.
-**DeviceAccount/PasswordRotationEnabled**
+**DeviceAccount/PasswordRotationEnabled**
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
Valid values:
-- 0 - password rotation enabled
-- 1 - disabled
+- 0 - password rotation enabled
+- 1 - disabled
The data type is integer. Supported operation is Get and Replace.
-**DeviceAccount/ExchangeServer**
+**DeviceAccount/ExchangeServer**
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/CalendarSyncEnabled**
+**DeviceAccount/ExchangeModernAuthEnabled**
+ Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
+
+ The data type is boolean. Supported operation is Get and Replace.
+
+**DeviceAccount/CalendarSyncEnabled**
Specifies whether calendar sync and other Exchange server services is enabled.
The data type is boolean. Supported operation is Get and Replace.
-**DeviceAccount/ErrorContext**
+**DeviceAccount/ErrorContext**
If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values:
The data type is integer. Supported operation is Get.
-**MaintenanceHoursSimple/Hours**
+**MaintenanceHoursSimple/Hours**
Node for maintenance schedule.
-**MaintenanceHoursSimple/Hours/StartTime**
+**MaintenanceHoursSimple/Hours/StartTime**
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
The data type is integer. Supported operation is Get and Replace.
-**MaintenanceHoursSimple/Hours/Duration**
+**MaintenanceHoursSimple/Hours/Duration**
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps**
+**InBoxApps**
Node for the in-box app settings.
-**InBoxApps/SkypeForBusiness**
+**InBoxApps/SkypeForBusiness**
Added in Windows 10, version 1703. Node for the Skype for Business settings.
-**InBoxApps/SkypeForBusiness/DomainName**
+**InBoxApps/SkypeForBusiness/DomainName**
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online.
The data type is string. Supported operation is Get and Replace.
-**InBoxApps/Welcome**
+**InBoxApps/Welcome**
Node for the welcome screen.
-**InBoxApps/Welcome/AutoWakeScreen**
+**InBoxApps/Welcome/AutoWakeScreen**
Automatically turn on the screen using motion sensors.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/Welcome/CurrentBackgroundPath**
+**InBoxApps/Welcome/CurrentBackgroundPath**
Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace.
-**InBoxApps/Welcome/MeetingInfoOption**
+**InBoxApps/Welcome/MeetingInfoOption**
Meeting information displayed on the welcome screen.
Valid values:
-- 0 - Organizer and time only
-- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
+- 0 - Organizer and time only
+- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection**
+**InBoxApps/WirelessProjection**
Node for the wireless projector app settings.
-**InBoxApps/WirelessProjection/PINRequired**
+**InBoxApps/WirelessProjection/PINRequired**
Users must enter a PIN to wirelessly project to the device.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection/Enabled**
+**InBoxApps/WirelessProjection/Enabled**
Enables wireless projection to the device.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection/Channel**
+**InBoxApps/WirelessProjection/Channel**
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps/Connect**
+**InBoxApps/Connect**
Added in Windows 10, version 1703. Node for the Connect app.
-**InBoxApps/Connect/AutoLaunch**
+**InBoxApps/Connect/AutoLaunch**
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
The data type is boolean. Supported operation is Get and Replace.
-**Properties**
+**Properties**
Node for the device properties.
-**Properties/FriendlyName**
+**Properties/FriendlyName**
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
The data type is string. Supported operation is Get and Replace.
-**Properties/DefaultVolume**
+**Properties/DefaultVolume**
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
The data type is integer. Supported operation is Get and Replace.
-**Properties/ScreenTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
+**Properties/ScreenTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
The following table shows the permitted values.
@@ -370,8 +375,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
-**Properties/SessionTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
+**Properties/SessionTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
The following table shows the permitted values.
@@ -422,8 +427,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
-**Properties/SleepTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
+**Properties/SleepTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
The following table shows the permitted values.
@@ -479,58 +484,49 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
Valid values:
-- 0 - Connected Standby (default)
-- 1 - Hibernate
+- 0 - Connected Standby (default)
+- 1 - Hibernate
The data type is integer. Supported operation is Get and Replace.
-**Properties/AllowSessionResume**
- Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
+**Properties/AllowSessionResume**
+ Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
- If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+ If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/AllowAutoProxyAuth**
+**Properties/AllowAutoProxyAuth**
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/DisableSigninSuggestions**
- Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
+**Properties/DisableSigninSuggestions**
+ Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/DoNotShowMyMeetingsAndFiles**
+**Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.
The data type is boolean. Supported operation is Get and Replace.
-**MOMAgent**
+**MOMAgent**
Node for the Microsoft Operations Management Suite.
-**MOMAgent/WorkspaceID**
+**MOMAgent/WorkspaceID**
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
The data type is string. Supported operation is Get and Replace.
-**MOMAgent/WorkspaceKey**
+**MOMAgent/WorkspaceKey**
Primary key for authenticating with the workspace.
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 5ce1c2c024..3c062277a0 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown CSP
-description:
+description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -21,10 +21,12 @@ The TenantLockdown configuration service provider is used by the IT admin to loc
> [!NOTE]
> The forced network connection is only applicable to devices after reset (not new).
-The following diagram shows the TenantLockdown configuration service provider in tree format.
-
-
-
+The following shows the TenantLockdown configuration service provider in tree format.
+```
+./Vendor/MSFT
+TenantLockdown
+----RequireNetworkInOOBE
+```
**./Vendor/MSFT/TenantLockdown**
The root node.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index f97ea96a00..863fa75311 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -14,25 +14,27 @@ manager: dansimp
# TPMPolicy CSP
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
-The following diagram shows the TPMPolicy configuration service provider in tree format.
-
-
-
+The following shows the TPMPolicy configuration service provider in tree format.
+```
+./Vendor/MSFT
+TPMPolicy
+----IsActiveZeroExhaust
+```
**./Device/Vendor/MSFT/TPMPolicy**
Defines the root node. Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured: Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured: The root node.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index dc6cd495a9..e4a2c9975f 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -33,10 +33,290 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
- `C:\\Windows\\schemas\\EAPHost`
- `C:\\Windows\\schemas\\EAPMethods`
-The following diagram shows the VPNv2 configuration service provider in tree format.
+The following shows the VPNv2 configuration service provider in tree format.
-
+```
+./Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+----------------Direction
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------LockDown
+--------DeviceTunnel
+--------RegisterDNS
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+
+./User/Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+
+
+./Vendor/MSFT
+./User/Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+----------------Direction
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------LockDown
+--------DeviceTunnel
+--------RegisterDNS
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+```
**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@@ -119,15 +399,15 @@ Supported operations include Get, Add, Replace, and Delete.
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
- FQDN - Fully qualified domain name
-- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a **.** to the DNS suffix.
+- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend **.** to the DNS suffix.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
Returns the namespace type. This value can be one of the following:
-- FQDN - If the DomainName was not prepended with a **.** and applies only to the fully qualified domain name (FQDN) of a specified host.
-- Suffix - If the DomainName was prepended with a **.** and applies to the specified namespace, all records in that namespace, and all subdomains.
+- FQDN - If the DomainName was not prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
+- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains.
Value type is chr. Supported operation is Get.
@@ -233,7 +513,7 @@ Specifies the routing policy if an App or Claims type is used in the traffic fil
- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-This is only applicable for App ID based Traffic Filter rules.
+This is only applicable for App ID-based Traffic Filter rules.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -248,7 +528,7 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
@@ -293,7 +573,7 @@ When the DeviceTunnel profile is turned on, it does the following things:
- First, it automatically becomes an "always on" profile.
- Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
-- Third, no other device tunnel profile maybe be present on the same machine.
+- Third, no other device tunnel profile maybe is present on the same machine.-
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
@@ -316,7 +596,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
**VPNv2/**ProfileName**/TrustedNetworkDetection**
-Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+Optional. Comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -387,7 +667,7 @@ Added in Windows 10, version 1607. Hashes for the VPN Client to look for the co
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
-Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -582,7 +862,7 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
-Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index f6b422ce6d..1e0af5deb5 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -17,10 +17,21 @@ ms.date: 06/26/2017
The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device.
-The following diagram shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-
-
-
+The following shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+```
+./Vendor/MSFT
+Win32AppInventory
+----Win32InstalledProgram
+--------InstalledProgram
+------------Name
+------------Publisher
+------------Version
+------------Language
+------------RegKey
+------------Source
+------------MsiProductCode
+------------MsiPackageCode
+```
**./Vendor/MSFT/Win32AppInventory**
The root node for the Win32AppInventory configuration service provider.
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index be248b783d..a3868db287 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -1,6 +1,6 @@
---
title: Win32CompatibilityAppraiser CSP
-description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health.
+description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -16,12 +16,35 @@ manager: dansimp
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, version 1809.
-
-The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format.
-
-
+The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. This CSP was added in Windows 10, version 1809.
+The following shows the Win32CompatibilityAppraiser configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+Win32CompatibilityAppraiser
+----CompatibilityAppraiser
+--------AppraiserConfigurationDiagnosis
+------------CommercialId
+------------CommercialIdSetAndValid
+------------AllTargetOsVersionsRequested
+------------OsSkuIsValidForAppraiser
+------------AppraiserCodeAndDataVersionsAboveMinimum
+------------RebootPending
+--------AppraiserRunResultReport
+----UniversalTelemetryClient
+--------UtcConfigurationDiagnosis
+------------TelemetryOptIn
+------------CommercialDataOptIn
+------------DiagTrackServiceRunning
+------------MsaServiceEnabled
+------------InternetExplorerTelemetryOptIn
+--------UtcConnectionReport
+----WindowsErrorReporting
+--------WerConfigurationDiagnosis
+------------WerTelemetryOptIn
+------------MostRestrictiveSetting
+--------WerConnectionReport
+```
**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 6699a32617..468313fb87 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -15,10 +15,27 @@ manager: dansimp
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
-The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
-
-
-
+The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+WindowsDefenderApplicationGuard
+----Settings
+--------AllowWindowsDefenderApplicationGuard
+--------ClipboardFileType
+--------ClipboardSettings
+--------PrintingSettings
+--------BlockNonEnterpriseContent
+--------AllowPersistence
+--------AllowVirtualGPU
+--------SaveFilesToHost
+--------CertificateThumbprints
+--------AllowCameraMicrophoneRedirection
+----Status
+----PlatformStatus
+----InstallWindowsDefenderApplicationGuard
+----Audit
+--------AuditApplicationGuard
+```
**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
Root node. Supported operation is Get.
@@ -179,14 +196,14 @@ ADMX Info:
**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
+- 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
@@ -219,6 +236,9 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
+> [!NOTE]
+> To enforce this policy, device restart or user logon/logoff is required.
+
**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index b46f76e935..9c3bf1705a 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -19,10 +19,27 @@ ms.date: 08/15/2018
The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices.
-The following diagram shows the WindowsLicensing configuration service provider in tree format.
-
-
-
+The following shows the WindowsLicensing configuration service provider in tree format.
+```
+./Vendor/MSFT
+WindowsLicensing
+----UpgradeEditionWithProductKey
+----ChangeProductKey
+----Edition
+----Status
+----UpgradeEditionWithLicense
+----LicenseKeyType
+----CheckApplicability
+----ChangeProductKey (Added in Windows 10, version 1703)
+----Subscriptions (Added in Windows 10, version 1607)
+--------SubscriptionId (Added in Windows 10, version 1607)
+------------Status (Added in Windows 10, version 1607)
+------------Name (Added in Windows 10, version 1607)
+----SMode (Added in Windows 10, version 1809)
+--------SwitchingPolicy (Added in Windows 10, version 1809)
+--------SwitchFromSMode (Added in Windows 10, version 1809)
+--------Status (Added in Windows 10, version 1809)
+```
**./Device/Vendor/MSFT/WindowsLicensing**
This is the root node for the WindowsLicensing configuration service provider.
diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md
index ffd68aa965..8dc07634aa 100644
--- a/windows/client-management/mdm/windowssecurityauditing-csp.md
+++ b/windows/client-management/mdm/windowssecurityauditing-csp.md
@@ -17,10 +17,13 @@ ms.date: 06/26/2017
The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
-The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
-
-
-
+The following shows the WindowsSecurityAuditing configuration service provider in tree format.
+```
+./Vendor/MSFT
+WindowsSecurityAuditing
+----ConfigurationSettings
+--------EnableSecurityAuditing
+```
**WindowsSecurityAuditing**
Root node.
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index d4f5426134..ed5591ef9b 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -18,10 +18,26 @@ manager: dansimp
The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
-The following diagram shows the WiredNetwork configuration service provider in tree format.
+The following shows the WiredNetwork configuration service provider in tree format.
+```
+./User/Vendor/MSFT
+WiredNetwork
+----LanXML
+----EnableBlockPeriod
-
+./Device/Vendor/MSFT
+WiredNetwork
+----LanXML
+----EnableBlockPeriod
+
+
+./User/Vendor/MSFT
+./Device/Vendor/MSFT
+WiredNetwork
+----LanXML
+----EnableBlockPeriod
+```
**./Device/Vendor/MSFT/WiredNetwork**
Root node.
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index bdb67e2528..959de7db9d 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -35,7 +35,9 @@ Any one of the following factors might cause the stop error:
* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions
-* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
+* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
+
+* If there is a blank GPT entry before the entry of the **Boot** partition
## Troubleshoot this error
@@ -98,15 +100,17 @@ To verify the BCD entries:
If the computer is UEFI-based, here's example output:
- ```cmd
+ ```console
device partition=\Device\HarddiskVolume2
path \EFI\Microsoft\Boot\bootmgfw.efi
```
If the machine is BIOS-based, here's example output:
- ```cmd
+
+ ```console
Device partition=C:
```
+
>[!NOTE]
>This output might not contain a path.
@@ -121,7 +125,9 @@ If any of the information is wrong or missing, we recommend that you create a ba
After the backup completes, run the following command to make the changes:
- Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
+| Turn tamper protection on (or off) for all or part of your organization using Intune Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
+| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
+| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
+| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
+| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
+| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
-2. [View information about tampering attempts](#view-information-about-tampering-attempts).
+## Manage tamper protection for your organization using the Microsoft Defender Security Center
-3. [Review your security recommendations](#review-your-security-recommendations).
+Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
-4. [Browse the frequently asked questions](#view-information-about-tampering-attempts).
+- Currently, the option to manage tamper protection in the Microsoft Defender Security Center is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make this the default method in the near future. (To opt in, in the Microsoft Defender Security Center, choose **Settings** > **Advanced features** > **Tamper protection**.)
-## Turn tamper protection on (or off) for an individual machine
+- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
-> [!NOTE]
-> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
->
-> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
->
-> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.
+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center.
-1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**.
+### Requirements for managing tamper protection in the Microsoft Defender Security Center
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
-3. Set **Tamper Protection** to **On** or **Off**.
+- Your Windows devices must be running one of the following versions of Windows:
+ - Windows 10
+ - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+ - Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later
+ - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
+ - For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
- Here's what you see in the Windows Security app:
+- Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md).
- 
+- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-## Turn tamper protection on (or off) for your organization using Intune
+- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal.
+### Turn tamper protection on (or off) in the Microsoft Defender Security Center
-You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+
-1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection:
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
- - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
- - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+2. Choose **Settings**.
-2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
+3. Go to **General** > **Advanced features**, and then turn tamper protection on.
-3. Select **Devices** > **Configuration Profiles**.
+## Manage tamper protection for your organization using Intune
-4. Create a profile that includes the following settings:
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.
+### Requirements for managing tamper protection in Intune
+
+- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
+
+- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
+
+- Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
+
+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
+
+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+
+### Turn tamper protection on (or off) in Intune
+
+
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
+
+2. Select **Devices** > **Configuration Profiles**.
+
+3. Create a profile that includes the following settings:
- **Platform: Windows 10 and later**
-
- **Profile type: Endpoint protection**
-
- **Category: Microsoft Defender Security Center**
-
- **Tamper Protection: Enabled**
- 
-
-5. Assign the profile to one or more groups.
+4. Assign the profile to one or more groups.
### Are you using Windows OS 1709, 1803, or 1809?
-If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
+If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
#### Use PowerShell to determine whether tamper protection is turned on
@@ -132,47 +152,66 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
-## Manage tamper protection with Configuration Manager, version 2006
+## Manage tamper protection for your organization with Configuration Manager, version 2006
-> [!IMPORTANT]
+If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.
+
+
+
+> [!NOTE]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
-If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
-
-1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
-
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
-> If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features > Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
-
-
-
-**[Centralized configuration and administration, APIs](management-apis.md)**
\
|
+ | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**
Microsoft Store | Assign
roles | Edit
account | Sign
agreements | View
account |
-| ------------------------| ------ | -------- | ------ | -------| -------- |
-| Billing account owner | X | X | X | X | X |
-| Billing account contributor | | | X | X | X |
-| Billing account reader | | | | | X |
-| Signatory | | | | X | X |
+| | Admin | Purchaser | Device Guard signer |
+| ------------------------------ | ------ | -------- | ------------------- |
+| Assign roles | X | | |
+| Manage Microsoft Store for Business and Education settings | X | | |
+| Acquire apps | X | X | |
+| Distribute apps | X | X | |
+| Sign policies and catalogs | X | | |
+| Sign Device Guard changes | X | | X |
-
-## Purchasing roles and permissions
-There are also a set of roles for purchasing and managing items bought.
-This table lists the roles and their permissions.
-
-| Role | Buy from
Microsoft Store | Manage all items | Manage items
I buy |
-| ------------| ------ | -------- | ------ |
-| Purchaser | X | X | |
-| Basic purchaser | X | | X |
-
-## Assign roles
**To assign roles to people**
-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Sign in to Microsoft Store for Business or Microsoft Store for Education.
>[!Note]
- >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**.
-
-2. Select **Manage**, and then select **Permissions**.
-3. On **Roles**, or **Purchasing roles**, select **Assign roles**.
-4. Enter a name, choose the role you want to assign, and select **Save**.
- If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
+ >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page.
+
+ To assign roles, you need to be a Global Administrator or a Store Administrator.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ OR
+
+ Click **Manage**, and then click **Permissions** on the left-hand menu.
+
+
+
+3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**.
+
+
+
+4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 68548aeb8b..1ee40ab070 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -3,16 +3,16 @@ title: Sign up and get started (Windows 10)
description: IT admins can sign up for the Microsoft Store for Business or Microsoft Store for Education and get started working with apps.
ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/03/2019
+ms.date: 03/10/2021
---
# Sign up and get started
@@ -24,13 +24,15 @@ ms.date: 10/03/2019
IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
## In this section
| Topic | Description |
| ----- | ----------- |
| [Microsoft Store for Business and Education overview](windows-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
| [Prerequisites for Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) | There are a few prerequisites for using Microsoft Store for Business and Education.](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) |
-| [Sign up for Microsoft Store for Business or Microsoft Store for Education](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business) | Before you sign up for Store for Business and Education, at a minimum, you'll need an Azure Active Directory (AD) or Office 365 account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD or Office 365 account and directory as part of the sign up process. |
| [Roles and permissions in Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/roles-and-permissions-microsoft-store-for-business)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
| [Settings reference: Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/settings-reference-microsoft-store-for-business) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |
diff --git a/store-for-business/sign-up-microsoft-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md
deleted file mode 100644
index 42f4df57b1..0000000000
--- a/store-for-business/sign-up-microsoft-store-for-business.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Sign up for Microsoft Store for Business or Microsoft Store for Education (Windows 10)
-description: Before you sign up for Microsoft Store for Business or Microsoft Store for Education, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization.
-ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12
-ms.reviewer:
-manager: dansimp
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
-ms.topic: conceptual
-ms.localizationpriority: medium
-ms.date: 10/17/2017
----
-
-# Sign up for Microsoft Store for Business or Microsoft Store for Education
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-Before you sign up for Microsoft Store for Business or Microsoft Store for Education, you'll need an Azure Active Directory (AD) or Office 365 account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Microsoft Store for Business or Microsoft Store for Education. If not, we'll help you create an Azure AD or Office 365 account and directory as part of the sign up process.
-
-## Sign up for Microsoft Store
-
-
-Before signing up for Microsoft Store, make sure you're the global administrator for your organization.
-
-**To sign up for Microsoft Store**
-
-1. Go to [https://www.microsoft.com/business-store](https://www.microsoft.com/business-store), or [https://www.microsoft.com/education-store](https://www.microsoft.com/education-store) and click **Sign up**.
-
- - If you start Microsoft Store sign-up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome).
-
-
-
- - If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
-
- 
-
- **To sign up for Azure AD accounts through Office 365 for Business**
-
- - Signing up for Microsoft Store will create an Azure AD directory and global administrator account for you. There are just a few steps.
-
- Step 1: About you.
-
- Type the required info and click **Next.**
-
- 
-
- - Step 2: Create an ID.
-
- We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
-
- 
-
- - Step 3: You're in.
-
- Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
-
- 
-
- - Verification.
-
- Type your verification code and click **Create my account**.
-
- 
-
- - Save this info.
-
- Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
-
- 
-
- - At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
-
-2. Sign in with your Azure AD account.
-
- 
-
-3. Read through and accept Microsoft Store for Business and Education terms.
-
-4. Welcome to the Store for Business. Click **Next** to continue.
-
- 
-
-## Next steps
-
-After signing up for Microsoft Store for Business or Microsoft Store for Education, you can:
-
-- **Add users to your Azure AD directory**. If you created your Azure AD directory during sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store in Store app. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
-- **Assign roles to employees**. For more information, see [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md).
-
-
-
-
-
-
-
-
-
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 9df4554e37..3f6ef46e23 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -40,7 +40,16 @@
"depot_name": "MSDN.win-access-protection",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index abbb5fac56..460b8ecfdd 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -44,7 +44,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Application Management"
+ "titleSuffix": "Windows Application Management",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ce50bd2b54..ff1064cbbf 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -86,14 +86,14 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
The following is a high-level view of the main wifi components in Windows.
-
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index c81879ba3f..694a7e8b07 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -46,7 +46,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Client Management"
+ "titleSuffix": "Windows Client Management",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 211519bdec..68d135449d 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -16,7 +16,6 @@ ms.topic: article
# Create mandatory user profiles
**Applies to**
-
- Windows 10
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
@@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
- > 
+ > 
>
> Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@@ -86,20 +85,24 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
- 
+
+ 
1. In **Copy To**, under **Permitted to use**, click **Change**.
- 
+ 
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
+
+ 
+
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
1. Click **OK** to copy the default user profile.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 3675333e76..149457d576 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -159,16 +159,16 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
-#### [Policy DDF file](policy-ddf-file.md)
-#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
-#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
-#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
-#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
-#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
+#### [Policy CSP DDF file](policy-ddf-file.md)
+#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
+#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
+#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
+#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
@@ -203,6 +203,7 @@
#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
#### [ADMX_EventLog](policy-csp-admx-eventlog.md)
#### [ADMX_Explorer](policy-csp-admx-explorer.md)
+#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
#### [ADMX_FileSys](policy-csp-admx-filesys.md)
#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
@@ -266,6 +267,7 @@
#### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md)
#### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md)
#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md)
+#### [ADMX_WindowsFileProtection](policy-csp-admx-windowsfileprotection.md)
#### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md)
#### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md)
#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 455f749b5b..498abd7018 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
-# Accounts CSP
+# Accounts Configuration Service Provider
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
-The following diagram shows the Accounts configuration service provider in tree format.
+The following shows the Accounts configuration service provider in tree format.
-
+```
+./Device/Vendor/MSFT
+Accounts
+----Domain
+--------ComputerName
+----Users
+--------UserName
+------------Password
+------------LocalUserGroup
+```
**./Device/Vendor/MSFT/Accounts**
Root node.
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 37f6157570..927e9b9e0a 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -19,8 +19,8 @@ The ActiveSync configuration service provider is used to set up and change setti
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
-> **Note**
-The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> [!NOTE]
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
@@ -28,15 +28,45 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th
-The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-
+```
+./Vendor/MSFT
+ActiveSync
+----Accounts
+--------Account GUID
+------------EmailAddress
+------------Domain
+------------AccountIcon
+------------AccountType
+------------AccountName
+------------Password
+------------ServerName
+------------UserName
+------------Options
+----------------CalendarAgeFilter
+----------------Logging
+----------------MailBodyType
+----------------MailHTMLTruncation
+----------------MailPlainTextTruncation
+----------------Schedule
+----------------UseSSL
+----------------MailAgeFilter
+----------------ContentTypes
+--------------------Content Type GUID
+------------------------Enabled
+------------------------Name
+------------Policies
+----------------MailBodyType
+----------------MaxMailAgeFilter
+
+```
**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
-> **Note**
-The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> [!NOTE]
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
@@ -231,10 +261,10 @@ Valid values are one of the following:
**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
-> **Note** In Windows 10, this node is currently not working.
+> [!NOTE]
+> In Windows 10, this node is currently not working.
-
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index e4d45bd4fd..3dfd62f711 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -17,8 +17,8 @@ ms.date: 06/26/2017
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
-> **Note**
-The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
+> [!NOTE]
+> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
@@ -26,9 +26,37 @@ This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
-The following diagram shows the AllJoynManagement configuration service provider in tree format
+The following shows the AllJoynManagement configuration service provider in tree format
-
+```
+./Vendor/MSFT
+AllJoynManagement
+----Configurations
+--------ServiceID
+------------Port
+----------------PortNum
+--------------------ConfigurableObjects
+------------------------CfgObjectPath
+----Credentials
+--------ServiceID
+------------Key
+----Firewall
+--------PublicProfile
+--------PrivateProfile
+----Services
+--------ServiceID
+------------AppId
+------------DeviceId
+------------AppName
+------------Manufacturer
+------------ModelNumber
+------------Description
+------------SoftwareVersion
+------------AJSoftwareVersion
+------------HardwareVersion
+----Options
+--------QueryIdleTime
+```
The following list describes the characteristics and parameters.
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 2c64c89cd9..5bfdda98df 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,6 +1,6 @@
---
title: ApplicationControl CSP
-description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
+description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.topic: article
@@ -16,10 +16,33 @@ ms.date: 09/10/2020
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
-The following diagram shows the ApplicationControl CSP in tree format.
-
-
+The following shows the ApplicationControl CSP in tree format.
+```
+./Vendor/MSFT
+ApplicationControl
+----Policies
+--------Policy GUID
+------------Policy
+------------PolicyInfo
+----------------Version
+----------------IsEffective
+----------------IsDeployed
+----------------IsAuthorized
+----------------Status
+----------------FriendlyName
+------------Token
+----------------TokenID
+----Tokens
+--------ID
+------------Token
+------------TokenInfo
+----------------Status
+------------PolicyIDs
+----------------Policy GUID
+----TenantID
+----DeviceID
+```
**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@@ -99,7 +122,7 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
-`*` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
+\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
@@ -117,7 +140,7 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
-For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
+For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
@@ -125,11 +148,11 @@ In order to leverage the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `
The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. 
The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:
+ The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks 
The Media Specific Module (MSM) handles security aspects of connection being established. 
The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. 
Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. The Media Specific Module (MSM) handles security aspects of connection being established. The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
@@ -313,25 +359,22 @@ You can get the publisher name and product name of apps using a web API.
-
-
-~~~
Here is the example for Microsoft OneNote:
Request
-``` syntax
+```http
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata
```
Result
-``` syntax
+```json
{
"packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
@@ -339,7 +382,6 @@ Result
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
-~~~
-
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
+
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
-```console
+```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@@ -647,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
-An alert is send to the MDM server in DM package\#1.
+An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
@@ -925,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
-
-
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 03a48da95f..3db06e4963 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -16,7 +16,8 @@ manager: dansimp
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
+> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
+>
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
@@ -24,11 +25,29 @@ the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
-The following diagram shows the BitLocker configuration service provider in tree format.
-
-
-
-
+The following shows the BitLocker configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+BitLocker
+----RequireStorageCardEncryption
+----RequireDeviceEncryption
+----EncryptionMethodByDriveType
+----SystemDrivesRequireStartupAuthentication
+----SystemDrivesMinimumPINLength
+----SystemDrivesRecoveryMessage
+----SystemDrivesRecoveryOptions
+----FixedDrivesRecoveryOptions
+----FixedDrivesRequireEncryption
+----RemovableDrivesRequireEncryption
+----AllowWarningForOtherDiskEncryption
+----AllowStandardUserEncryption
+----ConfigureRecoveryPasswordRotation
+----RotateRecoveryPasswords
+----Status
+--------DeviceEncryptionStatus
+--------RotateRecoveryPasswordsStatus
+--------RotateRecoveryPasswordsRequestID
+```
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
@@ -225,18 +244,18 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
If you want to disable this policy use the following SyncML:
```xml
-
-
-
@@ -486,14 +496,14 @@ Adding a host-based mapping policy:
-
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index df773dcb43..3a5cc913a6 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -17,8 +17,8 @@ ms.date: 06/26/2017
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
-> **Note**
-This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
@@ -28,10 +28,20 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
-The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-
-
-
+The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
+```
+./Vendor/MSFT
+CMPolicy
+----PolicyName
+--------SID
+--------ClientType
+--------Host
+--------OrderedConnections
+--------Connections
+------------ConnXXX
+----------------ConnectionID
+----------------Type
+```
***policyName***
Defines the name of the policy.
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 17b165ed51..2645a75e3f 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -15,11 +15,18 @@ ms.date: 06/26/2017
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
-The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
+The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-> **Note** This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
+> [!NOTE]
+> This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
-
+```
+./Vendor/MSFT
+CustomDeviceUI
+----StartupAppID
+----BackgroundTasksToLaunch
+--------BackgroundTaskPackageName
+```
**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 37205534c5..8a3242f3d3 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -20,10 +20,49 @@ ms.date: 08/11/2020
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-The following image shows the Windows Defender configuration service provider in tree format.
-
-
-
+The following shows the Windows Defender configuration service provider in tree format.
+```
+./Vendor/MSFT
+Defender
+----Detections
+--------ThreatId
+------------Name
+------------URL
+------------Severity
+------------Category
+------------CurrentStatus
+------------ExecutionStatus
+------------InitialDetectionTime
+------------LastThreatStatusChangeTime
+------------NumberOfDetections
+----Health
+--------ProductStatus (Added in Windows 10 version 1809)
+--------ComputerState
+--------DefenderEnabled
+--------RtpEnabled
+--------NisEnabled
+--------QuickScanOverdue
+--------FullScanOverdue
+--------SignatureOutOfDate
+--------RebootRequired
+--------FullScanRequired
+--------EngineVersion
+--------SignatureVersion
+--------DefenderVersion
+--------QuickScanTime
+--------FullScanTime
+--------QuickScanSigVersion
+--------FullScanSigVersion
+--------TamperProtectionEnabled (Added in Windows 10, version 1903)
+--------IsVirtualMachine (Added in Windows 10, version 1903)
+----Configuration (Added in Windows 10, version 1903)
+--------TamperProetection (Added in Windows 10, version 1903)
+--------EnableFileHashcomputation (Added in Windows 10, version 1903)
+--------SupportLogLocation (Added in the next major release of Windows 10)
+----Scan
+----UpdateSignature
+----OfflineScan (Added in Windows 10 version 1803)
+```
**Detections**
An interior node to group all threats detected by Windows Defender.
@@ -410,6 +449,46 @@ Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
+**Configuration/DisableCpuThrottleOnIdleScans**
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/MeteredConnectionUpdates**
+Allow managed devices to update through metered connections. Data charges may apply.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/AllowNetworkProtectionOnWinServer**
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/ExclusionIpAddress**
+Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+
+The data type is string.
+
+Supported operations are Add, Delete, Get, Replace.
+
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 11ab51bf9e..5337bb0cfd 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -21,10 +21,43 @@ The DevDetail configuration service provider handles the management object which
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
-
-
-
+The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
+```
+.
+DevDetail
+----URI
+--------MaxDepth
+--------MaxTotLen
+--------MaxSegLen
+----DevTyp
+----OEM
+----FwV
+----SwV
+----HwV
+----LrgObj
+----Ext
+--------Microsoft
+------------MobileID
+------------RadioSwV
+------------Resolution
+------------CommercializationOperator
+------------ProcessorArchitecture
+------------ProcessorType
+------------OSPlatform
+------------LocalTime
+------------DeviceName
+------------DNSComputerName (Added in Windows 10, version 2004)
+------------TotalStorage
+------------TotalRAM
+------------SMBIOSSerialNumber (Added in Windows 10, version 1809)
+--------WLANMACAddress
+--------VoLTEServiceSetting
+--------WlanIPv4Address
+--------WlanIPv6Address
+--------WlanDnsSuffix
+--------WlanSubnetMask
+--------DeviceHardwareData (Added in Windows 10, version 1703)
+```
**DevTyp**
Required. Returns the device model name /SystemProductName as a string.
@@ -143,8 +176,10 @@ The following are the available naming macros:
Value type is string. Supported operations are Get and Replace.
-> [!Note]
-> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer"s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
+> [!NOTE]
+> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
+
+On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
@@ -215,6 +250,3 @@ Supported operation is Get.
-
-
-
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 40e1d4d82e..382d2d379a 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -19,10 +19,21 @@ The DeveloperSetup configuration service provider (CSP) is used to configure Dev
> [!NOTE]
> The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM.
-The following diagram shows the DeveloperSetup configuration service provider in tree format.
-
-
-
+The following shows the DeveloperSetup configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+DeveloperSetup
+----EnableDeveloperMode
+----DevicePortal
+--------Authentication
+------------Mode
+------------BasicAuth
+----------------Username
+----------------Password
+--------Connection
+------------HttpPort
+------------HttpsPort
+```
**DeveloperSetup**
The operation cost of running one or more instances of Server 2016 on-premises.
- Device Health Attestation - Enterprise Managed Cloud
-Device Health Attestation - Enterprise-Managed Cloud
+
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
| [Defender CSP](defender-csp.md) | Added the following new nodes:
- Health/TamperProtectionEnabled
- Health/IsVirtualMachine
- Configuration
- Configuration/TamperProtection
- Configuration/EnableFileHashComputation |
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 4dc66d86e1..36b4ce6de1 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -266,6 +266,7 @@ ms.date: 10/08/2020
- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
+- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
@@ -1296,6 +1297,10 @@ ms.date: 10/08/2020
- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption)
- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary)
- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch)
+- [ADMX_WindowsFileProtection/WFPShowProgress](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpshowprogress)
+- [ADMX_WindowsFileProtection/WFPQuota](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpquota)
+- [ADMX_WindowsFileProtection/WFPScan](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpscan)
+- [ADMX_WindowsFileProtection/WFPDllCacheDir](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpdllcachedir)
- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline)
- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings)
- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings)
@@ -1379,7 +1384,7 @@ ms.date: 10/08/2020
- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
@@ -1393,12 +1398,12 @@ ms.date: 10/08/2020
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 09c680512c..14a994d0a3 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -137,7 +137,7 @@ ms.date: 07/18/2019
- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
@@ -220,12 +220,12 @@ ms.date: 07/18/2019
- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
@@ -731,7 +731,6 @@ ms.date: 07/18/2019
- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
-- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
index f3143ed222..e19d3350a5 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
@@ -16,7 +16,6 @@ ms.date: 09/16/2019
> [!div class="op_single_selector"]
>
-> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
> - [IoT Core](policy-csps-supported-by-iot-core.md)
>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md
deleted file mode 100644
index afb79c5bfe..0000000000
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Policies in Policy CSP supported by Windows 10 IoT Enterprise
-description: Policies in Policy CSP supported by Windows 10 IoT Enterprise
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies in Policy CSP supported by Windows 10 IoT Enterprise
-
-> [!div class="op_single_selector"]
->
-> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
-> - [IoT Core](policy-csps-supported-by-iot-core.md)
->
-
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated)
-- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated)
-- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
-- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
-- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection)
-
-## Related topics
-
-[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 8bfdfd90cc..071df833d0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1053,6 +1053,13 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_FileRecovery policies
+
+
### ADMX_FileServerVSSProvider policies
+### ADMX_WindowsFileProtection policies
+
+
@@ -7571,9 +7578,6 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
### WindowsInkWorkspace policies
@@ -8563,7 +8584,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
## Policies in Policy CSP supported by Windows 10 IoT
-- [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
- [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
## Policies in Policy CSP supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index 38d15714d4..2b4c414ae7 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -106,14 +106,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 650e2497ae..0c6e0067ac 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -941,14 +941,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index a2a770794d..b626e67721 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -731,14 +731,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 44f5d6b6f7..086c0dafc1 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -108,13 +108,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index 8dcf16d88f..6d76bd5f74 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -325,14 +325,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
index e43001ae9c..895402efef 100644
--- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -409,14 +409,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 62b80d6108..2564a91801 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -106,14 +106,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index b5f4b7b748..35597b677e 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -1088,14 +1088,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index 232b4fdce7..e8a57b01bf 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -190,14 +190,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index 152e8d9044..aaaa28a510 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -184,14 +184,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index 8ae99cefe3..4a340834f9 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -350,13 +350,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index 48dc02d6db..a03950bfdc 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1813,13 +1813,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index 9517dbfe30..d198e617ff 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -104,14 +104,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
index 1dcc21ec35..dcaa5fa29f 100644
--- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -256,14 +256,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
index 4b830deeb7..7cf1e14d14 100644
--- a/windows/client-management/mdm/policy-csp-admx-credssp.md
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -956,14 +956,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
index 9247d038a8..cf430cc22f 100644
--- a/windows/client-management/mdm/policy-csp-admx-credui.md
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -172,14 +172,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index c4ed633cb6..7ec6bdd7bc 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -326,14 +326,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index 06baf9787a..b550db06f6 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -101,14 +101,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
index 3cabf5f777..8c3fd1a932 100644
--- a/windows/client-management/mdm/policy-csp-admx-desktop.md
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -2170,14 +2170,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
index 5f9d502f36..69e459d10c 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -607,13 +607,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
index 77264647f1..5da6627e8f 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -175,14 +175,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index b2b311f5a1..08a7dab278 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -177,14 +177,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 5176ac1024..9aba6d0482 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1712,14 +1712,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index e03d29b3c1..71f9b3638f 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -478,14 +478,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
index 433116e5de..b56ce8c52a 100644
--- a/windows/client-management/mdm/policy-csp-admx-eaime.md
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -958,14 +958,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index 82b82ab53f..1dd5a4e6cb 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
index 4e1cf740ae..7e217f1364 100644
--- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -463,14 +463,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
index a220ae0692..5f3fc5e33b 100644
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -2189,14 +2189,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index 985a4580ad..449bed0b21 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -187,14 +187,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 97b2384e47..ea4b084c38 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -1575,14 +1575,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index 31c5d764fb..da74235b97 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -388,13 +388,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
index 382e791fa8..124a5759b8 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -19,8 +19,6 @@ manager: dansimp
-## ADMX_FileRecovery
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:
-- Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery behavior for all corrupted files.
-- Silent: Detection, troubleshooting, and recovery of corrupted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is recommended for headless operation.
-- Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically.
-
-Windows will log an administrator event with instructions if manual recovery is possible.
-- If you enable this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state.
-- If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.
-
-If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular recovery behavior.
-No system or service restarts are required for changes to this policy to take immediate effect after a Group Policy refresh.
-
-> [!NOTE]
-> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state.
-
-When the service is stopped or disabled, system file recovery will not be attempted.
-The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.
@@ -105,9 +84,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
ADMX Info:
-- GP English name: *Configure Corrupted File Recovery behavior*
-- GP name: *WdiScenarioExecutionPolicy*
-- GP path: *System\Troubleshooting and Diagnostics\Corrupted File Recovery*
- GP ADMX file name: *FileRecovery.admx*
@@ -116,14 +92,5 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
index 97a0885008..a1b52fa8fd 100644
--- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -104,14 +104,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index aadede45cf..768b9ea68d 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -575,14 +575,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
index 97576c4d96..c1b7ee3ab0 100644
--- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -557,14 +557,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index ad421c4633..4a4c00cd36 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -1884,13 +1884,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
index 5ee096c63f..1b089bd628 100644
--- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
@@ -3399,13 +3399,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
index 9f96bb2c16..3b42429ea9 100644
--- a/windows/client-management/mdm/policy-csp-admx-help.md
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -18,7 +18,7 @@ manager: dansimp
-
+
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index 50be68bfc6..ca46354852 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -318,14 +318,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index 9c053a6a02..63e72f5539 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -1977,14 +1977,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index baaaa464b2..ec9b9e660a 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -504,14 +504,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
index 594a97bf72..7f36359852 100644
--- a/windows/client-management/mdm/policy-csp-admx-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -628,14 +628,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index bf08d08f1b..74d7cb2b32 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -367,15 +367,15 @@ ADMX Info:
Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
index d3c1dfcd54..96da8caef4 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -272,13 +272,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index f36c218e89..d8eee0b351 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -177,14 +177,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
index 1c04d119eb..b463924f33 100644
--- a/windows/client-management/mdm/policy-csp-admx-logon.md
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -1194,14 +1194,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 5862dadff7..619444116c 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -3223,9 +3223,11 @@ ADMX Info:
-
+
+
**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts**
+
@@ -3356,7 +3358,8 @@ ADMX Info:
-
+
+
**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**
@@ -4249,7 +4252,11 @@ ADMX Info:
-**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
+
+
@@ -6135,7 +6142,9 @@ ADMX Info:
-**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
+
+
@@ -6839,14 +6848,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index e51d3bfcb5..dc9f501685 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -432,14 +432,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index 2190dbabeb..dcbb289b4b 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -8437,14 +8437,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index 7a9e6a5a84..3532d29c56 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
index fc45989368..c5cb159658 100644
--- a/windows/client-management/mdm/policy-csp-admx-msched.md
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -178,14 +178,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
index c22b9c6437..e6ab53acce 100644
--- a/windows/client-management/mdm/policy-csp-admx-msdt.md
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -275,14 +275,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index 948a93babd..3e2094f298 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -1862,13 +1862,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index da9eca2118..aaa011b575 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -613,14 +613,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 68f54caf09..2dc203705f 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -508,14 +508,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index a01bbd5c4d..45405c7cc2 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -2755,14 +2755,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
index b2d54403e7..7e542154a7 100644
--- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -2187,13 +2187,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index 1a170d2024..27b56e21e6 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -3691,14 +3691,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index 54b15aabfb..ed16a33a35 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -793,13 +793,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index fe3507834c..0e39a89004 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -349,14 +349,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index c8d950a87f..3d1a58a8f1 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -1869,14 +1869,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
index 7113d20ba1..5880faae13 100644
--- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -339,13 +339,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index 628d572650..e97cb3df92 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -2015,13 +2015,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
index 817a528bac..8ce369426a 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing2.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -729,13 +729,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
index 97697da52b..d7e0d1fec9 100644
--- a/windows/client-management/mdm/policy-csp-admx-programs.md
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -555,14 +555,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index 5db45b394d..398c939856 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -348,14 +348,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
index 6d1135eab4..692487c12d 100644
--- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -193,13 +193,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
index eaa2b417ff..6a9c3b8bfa 100644
--- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -2316,13 +2316,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index 2421a28191..4c77e82fa2 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -377,14 +377,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index 1a7df80d7f..56b8fa10a1 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -972,14 +972,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index bc7b4bc48a..dca614dec2 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -247,14 +247,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 5016dd12b2..7590b70934 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -113,14 +113,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
index 00ff56dafe..66a0fdf6d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-sensors.md
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -389,13 +389,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index c2738859de..af834f2656 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
index 42b649433b..53ca6431fc 100644
--- a/windows/client-management/mdm/policy-csp-admx-settingsync.md
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -693,14 +693,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index 365e67295a..a9749a346b 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -179,14 +179,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index 92d7458cc6..42e13cdd7d 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -100,14 +100,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index 70b33efe0d..58d1a90759 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -335,14 +335,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md
index 5580f6e4e4..e42d009528 100644
--- a/windows/client-management/mdm/policy-csp-admx-skydrive.md
+++ b/windows/client-management/mdm/policy-csp-admx-skydrive.md
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 67c2a2ea26..b75b3b086d 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -1216,14 +1216,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 4cdc53625c..8b1a15bdca 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -277,14 +277,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index 09955c429e..2c16014c48 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -4998,13 +4998,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
index 41c38ffa9f..70b84425c0 100644
--- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -107,14 +107,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index d7177153a7..bff61dc5f1 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -1650,14 +1650,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index 403e0686e1..3cd6999994 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -998,14 +998,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index 9aabebdc8b..73f6ca56cd 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -251,14 +251,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index da8e499dae..d12a0686f7 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -790,14 +790,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index b82218ed41..7f23f18d6f 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -9463,14 +9463,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index 3f00b44db1..dcc45e4c5e 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -643,13 +643,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index 0afeb2cfc3..37697fb185 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -416,14 +416,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
index 0590f12265..0c5ea22e12 100644
--- a/windows/client-management/mdm/policy-csp-admx-wcm.md
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -259,14 +259,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index d5aba0a18f..399309047c 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -179,14 +179,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
index c0b49d9fae..efff151d08 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
@@ -102,14 +102,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index bec9255c05..086405efd2 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -251,14 +251,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index c293e80086..004f66dae4 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -5355,13 +5355,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
new file mode 100644
index 0000000000..610f1840b9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
@@ -0,0 +1,357 @@
+---
+title: Policy CSP - ADMX_WindowsFileProtection
+description: Policy CSP - ADMX_WindowsFileProtection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 01/03/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsFileProtection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WindowsFileProtection policies
+
+
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPShowProgress**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+ 
+
+Pro
+
+
+Business
+
+
+Enterprise
+ 
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it might confuse the users.
+
+- If you enable this policy setting, the file scan window does not appear during file scanning.
+- If you disable or do not configure this policy setting, the file scan progress window appears.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the file scan progress window*
+- GP name: *WFPShowProgress*
+- GP path: *Windows File Protection!SfcShowProgress*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPQuota**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.
+Windows File Protection adds protected files to the cache until the cache content reaches the quota.
+If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota.
+
+- If you enable this policy setting, enter the maximum amount of disk space to be used (in MB).
+To indicate that the cache size is unlimited, select "4294967295" as the maximum amount of disk space.
+
+- If you disable this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
+> [!NOTE]
+> Icon size is dependent upon what the user has set it to in the previous session.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit Windows File Protection cache size*
+- GP name: *WFPQuota*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPScan**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set when Windows File Protection scans protected files.
+This policy setting directs Windows File Protection to enumerate and scan all system files for changes.
+
+- If you enable this policy setting, select a rate from the "Scanning Frequency" box.
+You can use this setting to direct Windows File Protection to scan files more often.
+-- "Do not scan during startup," the default, scans files only during setup.
+-- "Scan during startup" also scans files each time you start Windows XP.
+This setting delays each startup.
+
+- If you disable or do not configure this policy setting, by default, files are scanned only during setup.
+
+> [!NOTE]
+> This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Windows File Protection scanning*
+- GP name: *WFPScan*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPDllCacheDir**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies an alternate location for the Windows File Protection cache.
+
+- If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.
+- If you disable this setting or do not configure it, the Windows File Protection cache is located in the "%Systemroot%\System32\Dllcache directory".
+
+> [!NOTE]
+> Do not add the cache on a network shared directory.
+
+
+> [!NOTE]
+> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
+
+If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
+
+> [!NOTE]
+> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
+>
+> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify Windows File Protection cache location*
+- GP name: *WFPDllCacheDir*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index 0fa4658ba7..66570c3061 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 22acf9fa38..f0273482cf 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -1601,14 +1601,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
index 317228c066..dc7bcf1f15 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -172,13 +172,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
index 7be8a731e7..cec2e2bd4f 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -397,13 +397,13 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index 9e17ae7971..93d25c2f1e 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -245,14 +245,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
index 26187fd26d..f1998bb579 100644
--- a/windows/client-management/mdm/policy-csp-admx-winlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -481,13 +481,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
index 0ca862b038..c66f4a6598 100644
--- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -247,14 +247,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index 863f094564..7e7e4ee561 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -477,13 +477,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index d2c9190e0b..e65609226d 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -177,6 +177,10 @@ ms.localizationpriority: medium
+
+**Browser/SuppressEdgeDeprecationNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls.
+By default, a notification will be presented to the user informing them of this upon application startup.
+With this policy, you can either allow (default) or suppress this notification.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+
+ADMX Info:
+- GP English name: *Suppress Edge Deprecation Notification*
+- GP name: *SuppressEdgeDeprecationNotification*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Supported values:
+
+- 0 (default) – Allowed. Notification will be shown at application startup.
+- 1 – Prevented/not allowed.
+
+
**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 503ee130bc..9e0b691757 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -8,18 +8,16 @@ ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: dansimp
---
# Policy CSP - Connectivity
-
-
-## Connectivity policies
+## Connectivity policies
-**Connectivity/AllowBluetooth**
+**Connectivity/AllowBluetooth**
@@ -136,7 +134,7 @@ The following list shows the supported values:
-**Connectivity/AllowCellularData**
+**Connectivity/AllowCellularData**
@@ -195,7 +193,7 @@ The following list shows the supported values:
-**Connectivity/AllowCellularDataRoaming**
+**Connectivity/AllowCellularDataRoaming**
@@ -244,7 +242,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP English name: *Prohibit connection to roaming Mobile Broadband networks*
- GP name: *WCM_DisableRoaming*
- GP path: *Network/Windows Connection Manager*
@@ -274,7 +272,7 @@ To validate on mobile devices, do the following:
-**Connectivity/AllowConnectedDevices**
+**Connectivity/AllowConnectedDevices**
@@ -335,7 +333,7 @@ The following list shows the supported values:
-**Connectivity/AllowPhonePCLinking**
+**Connectivity/AllowPhonePCLinking**
@@ -385,20 +383,20 @@ If you do not configure this policy setting, the default behavior depends on the
-ADMX Info:
+ADMX Info:
- GP name: *enableMMX*
- GP ADMX file name: *grouppolicy.admx*
-This setting supports a range of values between 0 and 1.
+This setting supports a range of values between 0 and 1.
- 0 - Do not link
- 1 (default) - Allow phone-PC linking
-Validation:
+Validation:
If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
@@ -410,7 +408,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
-**Connectivity/AllowUSBConnection**
+**Connectivity/AllowUSBConnection**
@@ -475,7 +473,7 @@ The following list shows the supported values:
-**Connectivity/AllowVPNOverCellular**
+**Connectivity/AllowVPNOverCellular**
@@ -535,7 +533,7 @@ The following list shows the supported values:
-**Connectivity/AllowVPNRoamingOverCellular**
+**Connectivity/AllowVPNRoamingOverCellular**
@@ -595,7 +593,7 @@ The following list shows the supported values:
-**Connectivity/DiablePrintingOverHTTP**
+**Connectivity/DisablePrintingOverHTTP**
@@ -652,14 +650,14 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
@@ -671,7 +669,7 @@ ADMX Info:
-**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
@@ -726,14 +724,14 @@ If you disable or do not configure this policy setting, users can download print
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
@@ -745,7 +743,7 @@ ADMX Info:
-**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
@@ -800,14 +798,14 @@ See the documentation for the web publishing and online ordering wizards for mor
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
@@ -819,7 +817,7 @@ ADMX Info:
-**Connectivity/DisallowNetworkConnectivityActiveTests**
+**Connectivity/DisallowNetworkConnectivityActiveTests**
@@ -868,7 +866,7 @@ Value type is integer.
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off Windows Network Connectivity Status Indicator active tests*
- GP name: *NoActiveProbe*
- GP path: *Internet Communication settings*
@@ -880,7 +878,7 @@ ADMX Info:
-**Connectivity/HardenedUNCPaths**
+**Connectivity/HardenedUNCPaths**
@@ -929,14 +927,14 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
@@ -948,7 +946,7 @@ ADMX Info:
-**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
@@ -1001,14 +999,14 @@ If you disable this setting or do not configure it, the user will be able to cre
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
@@ -1016,6 +1014,7 @@ ADMX Info:
+
Footnotes:
@@ -1028,6 +1027,6 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 2009.
-
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 2cde160250..5844d94ceb 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -5,9 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
@@ -77,10 +76,12 @@ manager: dansimp
Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
-Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
+
+> [!NOTE]
+> This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
The following list shows the supported values:
@@ -128,4 +129,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 24c7b04cbf..ba86d69fad 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -22,28 +22,28 @@ ms.localizationpriority: medium
@@ -51,7 +51,7 @@ ms.localizationpriority: medium
-**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
@@ -165,7 +165,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
@@ -272,7 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
-**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
@@ -395,7 +395,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-**DeviceInstallation/PreventDeviceMetadataFromNetwork**
+## DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -474,7 +474,7 @@ ADMX Info:
-**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings**
+## DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
@@ -586,7 +586,7 @@ You can also block installation by using a custom profile in Intune.
-**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
@@ -703,7 +703,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
-**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
@@ -830,7 +830,7 @@ with
-**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index b106637736..f68a71f820 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -677,7 +677,7 @@ The following list shows the supported values:
-Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c63c654abe..73e6d3c865 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -5,9 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
@@ -85,6 +84,9 @@ manager: dansimp
+
+**InternetExplorer/AllowSaveTargetAsInIEMode**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode.
+
+- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.
+- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu.
+
+For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow "Save Target As" in Internet Explorer mode*
+- GP name: *AllowSaveTargetAsInIEMode*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+**InternetExplorer/ConfigureEdgeRedirectChannel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed.
+
+If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:
+
+- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
+ 1 = Microsoft Edge Stable
+ 2 = Microsoft Edge Beta version 77 or later
+ 3 = Microsoft Edge Dev version 77 or later
+ 4 = Microsoft Edge Canary version 77 or later
+
+- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.
+
+If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur:
+
+- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
+ 0 = Microsoft Edge version 45 or earlier
+ 1 = Microsoft Edge Stable
+ 2 = Microsoft Edge Beta version 77 or later
+ 3 = Microsoft Edge Dev version 77 or later
+ 4 = Microsoft Edge Canary version 77 or later
+
+- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
+
+> [!NOTE]
+> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites*
+- GP name: *NeedEdgeBrowser*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy lets you restrict launching of Internet Explorer as a standalone browser.
+
+If you enable this policy, it:
+- Prevents Internet Explorer 11 from launching as a standalone browser.
+- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.
+- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
+- Overrides any other policies that redirect to Internet Explorer 11.
+
+If you disable, or do not configure this policy, all sites are opened using the current active browser settings.
+
+> [!NOTE]
+> Microsoft Edge Stable Channel must be installed for this policy to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable Internet Explorer 11 as a standalone browser*
+- GP name: *DisableInternetExplorerApp*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+**InternetExplorer/KeepIntranetSitesInInternetExplorer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting prevents intranet sites from being opened in any browser except Internet Explorer.
+
+> [!NOTE]
+> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect.
+
+If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
+If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge.
+
+We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.
+
+Related policies:
+- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies)
+- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies)
+
+For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Keep all Intranet Sites in Internet Explorer*
+- GP name: *KeepIntranetSitesInInternetExplorer*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List.
+
+If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.
+
+If you disable, or not configure this setting, then it opens all sites based on the currently active browser.
+
+> [!NOTE]
+> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge*
+- GP name: *RestrictInternetExplorer*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+> [!NOTE]
+> This MDM policy is still outstanding.
+
+
+```xml
+
+> [!NOTE]
+>
+> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+>
+> - Administrators
+> - Users
+> - Guests
+> - Power Users
+> - Remote Desktop Users
+> - Remote Management Users
+
## FAQs
This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
@@ -223,10 +252,69 @@ To troubleshoot Name/SID lookup APIs:
```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
```
-
+```xml
+
-**Search/AllowCortanaInAAD**
@@ -178,30 +174,6 @@ The following list shows the supported values:
-
-
-Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
-
-
-
-ADMX Info:
-- GP English name: *Allow Cortana Page in OOBE on an AAD account*
-- GP name: *AllowCortanaInAAD*
-- GP path: *Windows Components/Search*
-- GP ADMX file name: *Search.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup.
-- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup.
-
-
-
-
-
-
**Search/AllowFindMyFiles**
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 8698b88092..1a7026a930 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4333,7 +4333,7 @@ The following list shows the supported values:
-Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/).
ADMX Info:
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 2b8f5d0334..c03b4d3430 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -20,23 +20,23 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
-**./Vendor/MSFT/SurfaceHub**
+**./Vendor/MSFT/SurfaceHub**
@@ -206,67 +211,67 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
-> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
[Verify support for Hyper-V](#verify-support-for-hyper-v)
@@ -290,36 +295,36 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
-
+
Here is an example:
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index c26f13353d..c6d416f858 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -22,10 +22,33 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa
> [!NOTE]
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
-The following diagram shows the UEFI CSP in tree format.
-
-
-
+The following shows the UEFI CSP in tree format.
+```
+./Vendor/MSFT
+Uefi
+----DeviceIdentifier
+----Identity
+--------Current
+--------Apply
+--------Result
+----Permissions
+--------Current
+--------Apply
+--------Result
+----Settings
+--------Current
+--------Apply
+--------Result
+----Identity2
+--------Apply
+--------Result
+----Permissions2
+--------Apply
+--------Result
+----Settings2
+--------Apply
+--------Result
+```
The following list describes the characteristics and parameters.
**./Vendor/MSFT/Uefi**
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 183c89df6d..875bce0570 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -19,10 +19,37 @@ The Update configuration service provider enables IT administrators to manage an
> [!Note]
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
-The following diagram shows the Update configuration service provider in tree format.
-
-
+The following shows the Update configuration service provider in tree format.
+```./Vendor/MSFT
+Update
+----ApprovedUpdates
+--------Approved Update Guid
+------------ApprovedTime
+----FailedUpdates
+--------Failed Update Guid
+------------HResult
+------------Status
+------------RevisionNumber
+----InstalledUpdates
+--------Installed Update Guid
+------------RevisionNumber
+----InstallableUpdates
+--------Installable Update Guid
+------------Type
+------------RevisionNumber
+----PendingRebootUpdates
+--------Pending Reboot Update Guid
+------------InstalledTime
+------------RevisionNumber
+----LastSuccessfulScanTime
+----DeferUpgrade
+----Rollback
+--------QualityUpdate
+--------FeatureUpdate
+--------QualityUpdateStatus
+--------FeatureUpdateStatus
+```
**Update**
bcdedit /set *{identifier}* option value
+```console
+bcdedit /set *{identifier}* option value
+```
For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:`
@@ -133,20 +139,20 @@ If the files are missing, and you want to rebuild the boot files, follow these s
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here:
- ```cmd
+ ```console
D:\> Mkdir BootBackup
R:\> Copy *.* D:\BootBackup
```
2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here:
- ```cmd
+ ```console
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
For example, if we assign the `
- ```
+ * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
+ * To add the account SID to the registry key using PowerShell:
+
+ ```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
@@ -228,8 +242,6 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
```
-
-
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index d39c37513b..6cc1c8921e 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -45,7 +45,7 @@ Specifies the settings you can configure when joining a device to a domain, incl
| --- | --- | --- |
| Account | string | Account to use to join computer to domain |
| AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account |
-| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer that includes fewer than 15 digits, or using %SERIAL% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji. Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](https://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
+| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
index 3dcf319a94..a7f9b909e9 100644
--- a/windows/configure/docfx.json
+++ b/windows/configure/docfx.json
@@ -36,7 +36,16 @@
"./": {
"depot_name": "MSDN.windows-configure"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
index e287ca8721..58a98d4813 100644
--- a/windows/deploy/docfx.json
+++ b/windows/deploy/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-deploy",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index d13e8feb57..71c908be85 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -24,6 +24,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+>* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing.
>[!IMPORTANT]
>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index ebdcfa1363..0cea204292 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020
# What's new in Windows 10 deployment
-**Applies to**
-- Windows 10
+**Applies to:**
+- Windows 10
## In this topic
@@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines
- Windows 10
- Office 365
-- Enterprise Mobility and Security (EMS).
+- Enterprise Mobility and Security (EMS).
See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
@@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+ - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
@@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
+- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
@@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
@@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Endpoint Configuration Manager
@@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following topics:
@@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
### MBR2GPT
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
@@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
-
+
Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
### Windows 10 deployment proof of concept (PoC)
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
For more information, see the following guides:
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 348d4fd07c..66c81b0a5b 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -77,7 +77,7 @@ ForEach($entry in $oulist){
}
```
-Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+Next, copy the following list of OU names and paths into a text file and save it as **C:\Setup\Scripts\oulist.txt**
```text
OUName,OUPath
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5c8972471b..5d5ff0215e 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -45,8 +45,9 @@ These steps will show you how to configure an Active Directory account with the
On **DC01**:
-1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
-2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
+
+2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
@@ -60,19 +61,20 @@ On **DC01**:
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-The following is a list of the permissions being granted:
- a. Scope: This object and all descendant objects
- b. Create Computer objects
- c. Delete Computer objects
- d. Scope: Descendant Computer objects
- e. Read All Properties
- f. Write All Properties
- g. Read Permissions
- h. Modify Permissions
- i. Change Password
- j. Reset Password
- k. Validated write to DNS host name
- l. Validated write to service principal name
+ The following is a list of the permissions being granted:
+
+ - Scope: This object and all descendant objects
+ - Create Computer objects
+ - Delete Computer objects
+ - Scope: Descendant Computer objects
+ - Read All Properties
+ - Write All Properties
+ - Read Permissions
+ - Modify Permissions
+ - Change Password
+ - Reset Password
+ - Validated write to DNS host name
+ - Validated write to service principal name
## Step 2: Set up the MDT production deployment share
@@ -87,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
+
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@@ -116,9 +121,13 @@ In these steps, we assume that you have completed the steps in the [Create a Win
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
+
3. On the **OS Type** page, select **Custom image file** and click **Next**.
+
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
@@ -140,16 +149,22 @@ On **MDT01**:
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
+
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+
6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+
7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+
8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+ 
-The Adobe Reader application added to the Deployment Workbench.
+ The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
@@ -211,16 +226,17 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
-``` powershell
+```powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
+
Or, you can use this command in a normal command prompt:
-```
+```console
wmic csproduct get name
```
-If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
@@ -244,9 +260,9 @@ On **MDT01**:
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
3. Click **Next**, **Next** and **Finish**.
-
+ 
-Creating the WinPE x64 selection profile.
+ Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
@@ -267,7 +283,8 @@ On **MDT01**:
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-
+> [!div class="mx-imgBorder"]
+> 
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@@ -276,9 +293,12 @@ In this example, we assume you have downloaded and extracted the drivers using T
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
-2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
+
+ The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
### For the Latitude E7450
@@ -289,7 +309,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
-2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
+
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
@@ -300,7 +323,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
-2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
+
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
### For the Microsoft Surface Laptop
@@ -309,7 +335,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
-2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
## Step 6: Create the deployment task sequence
@@ -320,40 +349,46 @@ This section will show you how to create the task sequence used to deploy your p
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
+
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: W10-X64-001
- 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- 3. Task sequence comments: Production Image
- 4. Template: Standard Client Task Sequence
- 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image
- 6. Specify Product Key: Do not specify a product key at this time
- 7. Full Name: Contoso
- 8. Organization: Contoso
- 9. Internet Explorer home page: https://www.contoso.com
- 10. Admin Password: Do not specify an Administrator Password at this time
+ - Task sequence ID: W10-X64-001
+ - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
+ - Task sequence comments: Production Image
+ - Template: Standard Client Task Sequence
+ - Select OS: Windows 10 Enterprise x64 RTM Custom Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Full Name: Contoso
+ - Organization: Contoso
+ - Internet Explorer home page: https://www.contoso.com
+ - Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 10 task sequence
1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
-2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
- 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- 1. Name: Set DriverGroup001
- 2. Task Sequence Variable: DriverGroup001
- 3. Value: Windows 10 x64\\%Make%\\%Model%
- 2. Configure the **Inject Drivers** action with the following settings:
- 1. Choose a selection profile: Nothing
- 2. Install all drivers from the selection profile
- >[!NOTE]
- >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+
+ 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+ - Name: Set DriverGroup001
+ - Task Sequence Variable: DriverGroup001
+ - Value: Windows 10 x64\\%Make%\\%Model%
+
+ 2. Configure the **Inject Drivers** action with the following settings:
+ - Choose a selection profile: Nothing
+ - Install all drivers from the selection profile
+
+ > [!NOTE]
+ > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
+
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
+
3. Click **OK**.
-
+ 
-The task sequence for production deployment.
+ The task sequence for production deployment.
## Step 7: Configure the MDT production deployment share
@@ -361,100 +396,112 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
### Configure the rules
+> [!NOTE]
+> The following instructions assume the device is online. If you're offline you can remove SLShare variable.
+
On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=pass@word1
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
3. Click **Edit Bootstrap.ini** and modify using the following information:
-```
-[Settings]
-Priority=Default
+ ```
+ [Settings]
+ Priority=Default
-[Default]
-DeployRoot=\\MDT01\MDTProduction$
-UserDomain=CONTOSO
-UserID=MDT_BA
-UserPassword=pass@word1
-SkipBDDWelcome=YES
-```
+ [Default]
+ DeployRoot=\\MDT01\MDTProduction$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
- 1. Image description: MDT Production x86
- 2. ISO file name: MDT Production x86.iso
+
+ In the **Lite Touch Boot Image Settings** area:
+
+ - Image description: MDT Production x86
+ - ISO file name: MDT Production x86.iso
- > [!NOTE]
- >
- >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ > [!NOTE]
+ >
+ > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
8. On the **General** sub tab, configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
- 1. Image description: MDT Production x64
- 2. ISO file name: MDT Production x64.iso
+
+ In the **Lite Touch Boot Image Settings** area:
+
+ - Image description: MDT Production x64
+ - ISO file name: MDT Production x64.iso
+
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+
11. Click **OK**.
->[!NOTE]
->It will take a while for the Deployment Workbench to create the monitoring database and web service.
+ >[!NOTE]
+ >It will take a while for the Deployment Workbench to create the monitoring database and web service.
+ 
-
-
-The Windows PE tab for the x64 boot image.
+ The Windows PE tab for the x64 boot image.
### The rules explained
The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
->
->You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
This is the MDT Production Bootstrap.ini:
+
```
[Settings]
Priority=Default
@@ -470,6 +517,7 @@ SkipBDDWelcome=YES
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
+
```
[Settings]
Priority=Default
@@ -526,32 +574,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
+
+> [!NOTE]
+> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
+>
+> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`
+
**NEW** Tactical considerations for creating Windows deployment rings
@@ -67,7 +68,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
Learn more about Windows as a service and its value to your organization.
-
+
Overview of Windows as a service
@@ -82,7 +83,7 @@ Learn more about Windows as a service and its value to your organization.
Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
-
+
Simplified updates
@@ -98,7 +99,7 @@ Prepare to implement Windows as a service effectively using the right tools, pro
Secure your organization's deployment investment.
-
+
Update Windows 10 in the enterprise
@@ -112,6 +113,6 @@ Secure your organization's deployment investment.
## Microsoft Ignite 2018
-
+
Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index ed776f86d0..37dcc627f0 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -31,7 +31,7 @@ The following table describes the log files created by Windows Update.
To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru).
>[!NOTE]
->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again.
+>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
### Windows Update log components
The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 49b83d23f1..b9eb08a9e3 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -6,7 +6,6 @@ ms.mktglfcycl:
audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
@@ -16,7 +15,15 @@ author: jaimeo
# Windows Update - additional resources
-> Applies to: Windows 10
+**Applies to**:
+
+- Windows 10
+- Windows Server 2016
+- Windows Server 2019
+
+> [!NOTE]
+> Windows Server 2016 supports policies available in Windows 10, version 1607. Windows Server 2019 supports policies available in Windows 10, version 1809.
+
The following resources provide additional information about using Windows Update.
@@ -32,9 +39,18 @@ The following resources provide additional information about using Windows Updat
## How do I reset Windows Update components?
-[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+- Try using the [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-for-windows-10-19bc41ca-ad72-ae67-af3c-89ce169755dd), which will analyze the situation and reset any components that need it.
+- Try the steps in [Troubleshoot problems updating Windows 10](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-10-188c2b0f-10a7-d72f-65b8-32d177eb136c).
+- Try the steps in [Fix Windows Update](https://support.microsoft.com/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787) errors.
+
+If all else fails, try resetting the Windows Update Agent by running these commands from an elevated command prompt:
+
+ ``` console
+ net stop wuauserv
+ rd /s /q %systemroot%\SoftwareDistribution
+ net start wuauserv
+ ```
-[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually
@@ -42,29 +58,30 @@ The following resources provide additional information about using Windows Updat
``` console
cmd
```
-2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+2. Stop the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net stop bits
net stop wuauserv
+ net stop cryptsvc
```
-3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
+3. Delete the **qmgr\*.dat** files. To do this, type the following command at a command prompt, and then press ENTER:
``` console
Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
```
4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
1. Rename the following folders to *.BAK:
``` console
- %systemroot%\SoftwareDistribution\DataStore
- %systemroot%\SoftwareDistribution\Download
- %systemroot%\system32\catroot2
+ %Systemroot%\SoftwareDistribution\DataStore
+ %Systemroot%\SoftwareDistribution\Download
+ %Systemroot%\System32\catroot2
```
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
- Ren %systemroot%\SoftwareDistribution\DataStore *.bak
- Ren %systemroot%\SoftwareDistribution\Download *.bak
- Ren %systemroot%\system32\catroot2 *.bak
+ Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak
+ Ren %Systemroot%\SoftwareDistribution\Download Download.bak
+ Ren %Systemroot%\System32\catroot2 catroot2.bak
```
- 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
@@ -73,7 +90,7 @@ The following resources provide additional information about using Windows Updat
``` console
cd /d %windir%\system32
```
-6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+6. Reregister the **BITS** files and the **Windows Update** files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
regsvr32.exe atl.dll
@@ -114,7 +131,7 @@ The following resources provide additional information about using Windows Updat
regsvr32.exe wuwebv.dll
```
-7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
+7. Reset **Winsock**. To do this, type the following command at a command prompt, and then press ENTER:
``` console
netsh winsock reset
```
@@ -122,13 +139,13 @@ The following resources provide additional information about using Windows Updat
``` console
proxycfg.exe -d
```
-9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+9. Restart the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net start bits
-
- net start wuauserv
+ net start wuauserv
+ net start cryptsvc
```
-10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+10. If you are running Windows Vista or Windows Server 2008, clear the **BITS** queue. To do this, type the following command at a command prompt, and then press ENTER:
``` console
bitsadmin.exe /reset /allusers
```
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 37da456194..ca70223a2c 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -30,7 +30,7 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
>
> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
>
> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index bc307dfc3a..e7ec8ac329 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -32,25 +32,28 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
- VMs must be generation 1.
-- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
## Activation
### Scenario 1
+
- The VM is running Windows 10, version 1803 or later.
- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
### Scenario 2
+
- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
### Scenario 3
+
- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
- In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
+ In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience).
@@ -69,7 +72,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https:
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again.
7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20.
8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-9. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Open Windows Configuration Designer and click **Provision desktop services**.
10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
@@ -111,7 +114,7 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir
3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-6. Open Windows Configuration Designer and click **Provison desktop services**.
+6. Open Windows Configuration Designer and click **Provision desktop services**.
7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index e9c419383d..79c1279f78 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -29,6 +29,9 @@ ms.topic: article
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
+>- Office 2013*
+>- Office 2016*
+>- Office 2019*
**Looking for retail activation?**
@@ -46,10 +49,13 @@ The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
-1. Microsoft verifies the KMS host key, and an activation object is created.
-1. Client computers are activated by receiving the activation object from a domain controller during startup.
- 
+2. Microsoft verifies the KMS host key, and an activation object is created.
+
+3. Client computers are activated by receiving the activation object from a domain controller during startup.
+
+ > [!div class="mx-imgBorder"]
+ > 
**Figure 10**. The Active Directory-based activation flow
@@ -69,52 +75,67 @@ When a reactivation event occurs, the client queries AD DS for the activation o
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
-1. Launch Server Manager.
-1. Add the Volume Activation Services role, as shown in Figure 11.
+
+2. Launch Server Manager.
+
+3. Add the Volume Activation Services role, as shown in Figure 11.
**Figure 11**. Adding the Volume Activation Services role
-1. Click the link to launch the Volume Activation Tools (Figure 12).
+4. Click the link to launch the Volume Activation Tools (Figure 12).
**Figure 12**. Launching the Volume Activation Tools
-1. Select the **Active Directory-Based Activation** option (Figure 13).
+5. Select the **Active Directory-Based Activation** option (Figure 13).
**Figure 13**. Selecting Active Directory-Based Activation
-1. Enter your KMS host key and (optionally) a display name (Figure 14).
+6. Enter your KMS host key and (optionally) a display name (Figure 14).
**Figure 14**. Entering your KMS host key
-1. Activate your KMS host key by phone or online (Figure 15).
+7. Activate your KMS host key by phone or online (Figure 15).
-
+
**Figure 15**. Choosing how to activate your product
-1. After activating the key, click **Commit**, and then click **Close**.
+ > [!NOTE]
+ > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
+ >
+ >
+ > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
+ >
+ > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
+ >
+ > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
+
+8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-1. If the computer is not joined to your domain, join it to the domain.
-1. Sign in to the computer.
-1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
-1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
+2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+3. If the computer is not joined to your domain, join it to the domain.
+4. Sign in to the computer.
+5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
+ >
+ > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
+
## See also
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 38d957f492..a525cff518 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -25,7 +25,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.
+>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
@@ -33,16 +33,20 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
-- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
+- Latest version of the [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install)
- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
- Alternatively, any supported **full** SQL instance
### Install SQL Server Express / alternatively use any full SQL instance
1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+
2. Select **Basic**.
+
3. Accept the license terms.
+
4. Enter an install location or use the default path, and then select **Install**.
+
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
@@ -50,29 +54,37 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+
If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
+
2. Enter an install location or use the default path, and then select **Next**.
+
3. Select a privacy setting, and then select **Next**.
+
4. Accept the license terms.
+
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
+
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
+
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
- 
+ 
-for remote SQL Server use
-servername.yourdomain.com
+ For remote SQL Server, use `servername.yourdomain.com`.
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
+
1. Open **Control Panel** and select **Programs and Features**.
+
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 84fa27310d..021fb986f8 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -21,9 +21,9 @@ ms.topic: article
Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
-With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**.
+With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
-The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
+The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
## Subscription Activation for Windows 10 Enterprise
@@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+
- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
+
- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+
- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+
- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+
- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+
- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+
- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
## Requirements
@@ -83,6 +90,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
> [!NOTE]
> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+> [!NOTE]
+> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
+
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
@@ -102,21 +112,29 @@ To resolve this issue:
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1809 or later:
-1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
-
-
-
+- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
+
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
+
+ 
+
+ 
+
+ 
### Windows 10 Education requirements
-1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
-3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
+
+- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
+
+- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+
+> [!IMPORTANT]
+> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
## Benefits
@@ -128,15 +146,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
You can benefit by moving to Windows as an online service in the following ways:
-1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. User logon triggers a silent edition upgrade, with no reboot required
-3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
-4. Compliance support via seat assignment.
-5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+
+- User logon triggers a silent edition upgrade, with no reboot required.
+
+- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+
+- Compliance support via seat assignment.
+
+- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
## How it works
-The device is AAD joined from Settings > Accounts > Access work or school.
+The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@@ -154,26 +176,35 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
-Note:
-1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
-2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> [!NOTE]
+>
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+>
+> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
-**Scenario #1**: You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #1
+
+You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
-**Scenario #2**: You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #2
+
+You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-
+```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-**Scenario #3**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+#### Scenario #3
+
+Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@@ -184,7 +215,7 @@ If you’re running Windows 7, it can be more work. A wipe-and-load approach w
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license.
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education.
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
@@ -201,7 +232,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-
+```console
@echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A"
@@ -215,18 +246,24 @@ echo No key present
echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey%
)
-
+```
### Obtaining an Azure AD license
Enterprise Agreement/Software Assurance (EA/SA):
+
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
+
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA):
+
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
+
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 4753557b61..0ee2f4c1df 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -31,7 +31,7 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM
> [!NOTE]
> Although there are [multiple platforms](add-devices.md#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
-
+>
> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
@@ -47,13 +47,13 @@ These are the things you'll need to complete this lab:
+Windows 10 installation media Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Hyper-V or a physical device running Windows 10 The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. A Premium Intune account This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab. An account with Azure AD Premium license This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.
[Enable Hyper-V](#enable-hyper-v)
@@ -113,7 +113,7 @@ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -132,21 +132,27 @@ Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [
To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
+ In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
+
+ In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+
+When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
### Determine network adapter name
@@ -237,11 +243,12 @@ After the VM restarts, during OOBE, it's fine to select **Set up for personal us
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
@@ -252,9 +259,9 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-Follow these steps to run the PS script:
+Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
@@ -267,62 +274,62 @@ Follow these steps to run the PS script:
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
-When you are prompted to install the NuGet package, choose **Yes**.
+1. When you are prompted to install the NuGet package, choose **Yes**.
-See the sample output below. A 'dir' command is issued at the end to show the file that was created.
+ See the sample output below. A **dir** command is issued at the end to show the file that was created.
-
-PS C:\> md c:\HWID
+ ```console
+ PS C:\> md c:\HWID
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 11/13/2020 3:00 PM HWID
+
+
+ PS C:\Windows\system32> Set-Location c:\HWID
+ PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+ NuGet provider is required to continue
+ PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+ 'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+ import the NuGet provider now?
+ [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+ PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
+ PS C:\HWID> dir
+
+
+ Directory: C:\HWID
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
+
+
+ PS C:\HWID>
+ ```
+
+1. Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
- Directory: C:\
+ > [!NOTE]
+ > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+ 
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 11/13/2020 3:00 PM HWID
+ You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-PS C:\Windows\system32> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
-PS C:\HWID> dir
-
-
- Directory: C:\HWID
-
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
-
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-> [!NOTE]
-> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
-> [!NOTE]
-> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+ > [!NOTE]
+ > When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@@ -446,14 +453,17 @@ Pick one:
The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+
2. In the **Group** blade:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
4. For **Membership type**, choose **Assigned**.
+
3. Click **Members** and add the Autopilot VM to the group. See the following example:
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. Click **Create**.
@@ -461,11 +471,13 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
-
+> [!div class="mx-imgBorder"]
+> 
Click on **Create profile** and then select **Windows PC**.
-
+> [!div class="mx-imgBorder"]
+> 
On the **Create profile** blade, use the following values:
@@ -481,7 +493,7 @@ Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
|---|---|
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
-| Microsoft Sofware License Terms | Hide |
+| Microsoft Software License Terms | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
@@ -504,6 +516,7 @@ Click **Next** to continue with the **Assignments** settings:
Click on **OK** and then click on **Create**.
+> [!NOTE]
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
### Create a Windows Autopilot deployment profile using MSfB
@@ -524,15 +537,18 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+> [!div class="mx-imgBorder"]
+> 
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+> [!div class="mx-imgBorder"]
+> 
Name the profile, choose your desired settings, and then click **Create**:
-
+> [!div class="mx-imgBorder"]
+> 
The new profile is added to the Autopilot deployment list.
@@ -540,11 +556,13 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+> [!div class="mx-imgBorder"]
+> 
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+> [!div class="mx-imgBorder"]
+> 
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -553,7 +571,8 @@ Confirm the profile was successfully assigned to the intended device by checking
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
+> [!div class="mx-imgBorder"]
+> 
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
@@ -568,14 +587,15 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
+> [!div class="mx-imgBorder"]
+> 
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
> [!TIP]
-> If you recieve a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use" then verify you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
+> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
## Remove devices from Autopilot
@@ -585,18 +605,20 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
-
+> [!div class="mx-imgBorder"]
+> 
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
-> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+> A device will only appear in the All devices list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
@@ -610,7 +632,7 @@ Starting with Windows 8, the host computer's microprocessor must support second
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
+```console
C:>systeminfo
...
@@ -618,15 +640,16 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
-
+```
In this example, the computer supports SLAT and Hyper-V.
+> [!NOTE]
> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
+```console
C:>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -639,7 +662,7 @@ Microcode signature: 0000001B
HYPERVISOR - Hypervisor is present
VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-
+```
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
@@ -662,7 +685,8 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+> [!div class="mx-imgBorder"]
+> 
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -680,7 +704,8 @@ Under **App Type**, select **Windows app (Win32)**:
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+> [!div class="mx-imgBorder"]
+> 
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
@@ -688,8 +713,10 @@ On the **App Information Configure** blade, provide a friendly name, description
On the **Program Configuration** blade, supply the install and uninstall commands:
+```console
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+```
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
@@ -702,11 +729,13 @@ Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+> [!div class="mx-imgBorder"]
+> 
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+> [!div class="mx-imgBorder"]
+> 
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
@@ -716,7 +745,8 @@ Click **OK** twice to save, as you back out to the main **Add app** blade again
**Return codes**: For our purposes, leave the return codes at their default values:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK** to exit.
@@ -726,11 +756,13 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+> [!div class="mx-imgBorder"]
+> 
You will be able to find your app in your app list:
-
+> [!div class="mx-imgBorder"]
+> 
#### Assign the app to your Intune profile
@@ -739,19 +771,22 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
+> [!NOTE]
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
@@ -761,7 +796,8 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, you have completed steps to add a Win32 app to Intune.
@@ -783,15 +819,17 @@ Under **App Type**, select **Office 365 Suite > Windows 10**:
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
@@ -808,19 +846,21 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
-> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index 0dbfe2d2e9..42439e1e7b 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -40,7 +40,16 @@
"depot_name": "MSDN.win-device-security",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json
index ff3ab96c92..5270a33f5d 100644
--- a/windows/eulas/docfx.json
+++ b/windows/eulas/docfx.json
@@ -37,7 +37,16 @@
"globalMetadata": {
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
- "feedback_system": "None"
+ "feedback_system": "None",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 25ef07d002..eaeb093642 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,6 +1,6 @@
# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
-## [Release information](/windows/release-information)
+## [Release information](/windows/release-health)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index a28aaa3b77..e2971f2d84 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -27,7 +27,7 @@
topicHref: /windows/client-management/mdm/index
- name: Release information
tocHref: /windows/release-information/
- topicHref: /windows/release-information/index
+ topicHref: /windows/release-health/release-information
- name: Privacy
tocHref: /windows/privacy/
topicHref: /windows/privacy/index
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 2fad5a8fc9..898e842c41 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -48,7 +48,16 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows 10 for IT Pros"
+ "titleSuffix": "Windows 10 for IT Pros",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 75355791f6..bac6a47a7b 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -33,7 +33,7 @@ landingContent:
- text: What's new in Windows 10, version 1909
url: /windows/whats-new/whats-new-windows-10-version-1909
- text: Windows 10 release information
- url: https://docs.microsoft.com/windows/release-information/
+ url: https://docs.microsoft.com/windows/release-health/release-information
# Card (optional)
- title: Configuration
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
index 884e478dcb..eecc6e8b2e 100644
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@@ -36,7 +36,16 @@
"depot_name": "MSDN.keep-secure",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
index ebcaf22f82..4592f86de8 100644
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@@ -38,7 +38,16 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app"
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
index a65600c79b..e96e3ebf76 100644
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-manage",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
index a05d2009a6..d4e156d3c2 100644
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-plan",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 0f24cde486..bb7dfb718c 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -46,8 +46,19 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Privacy"
+ "titleSuffix": "Windows Privacy",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
+ "searchScope": ["Windows 10"]
+ },
"fileMetadata": {},
"template": [],
"dest": "privacy",
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index d449b47b4c..0d7d37c2fe 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints:
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 4dcacaf204..40211ae3b7 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -41,7 +41,16 @@
"audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
- "feedback_system": "None"
+ "feedback_system": "None",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index a27324310a..e8accb5982 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -47,7 +47,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Microsoft 365 Security"
+ "titleSuffix": "Microsoft 365 Security",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {
"titleSuffix":{
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index e408ad9ba8..76ef2c7179 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -1853,7 +1853,7 @@ The Enterprise Key Admins group was introduced in Windows Server 2016.
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
+| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
@@ -2331,7 +2331,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
+| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index b21bd85fd4..f4d8e44b09 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
+
The individual values of a SID are described in the following table.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 90a4a08397..b69fe341ce 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -42,9 +42,9 @@ As the depth and breadth of protections provided by Windows Defender Credential
### Saved Windows Credentials Protected
Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
- - Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
- - Applications that extract Windows credentials fail.
- - When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+* Applications that extract Windows credentials fail.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 27f4be1157..5f85322714 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -263,11 +263,10 @@ To disable Windows Defender Credential Guard, you can use the following set of p
>bcdedit /set vsmlaunchtype off
>```
-> [!NOTE]
-> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
+For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity).
-For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
-).
+> [!NOTE]
+> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
@@ -292,5 +291,3 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
Set-VMSecurity -VMName
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
+| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index b1fda98d52..e558366ee8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -44,42 +44,58 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
- 
+
+ 
+
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- 
+
+ > [!div class="mx-imgBorder"]
+ > 
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+
2. Edit the Group Policy object from Step 1.
+
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
+
2. Click **Endpoint Security** > **Account Protection** > **Properties**.
+
3. Set **Enable PIN recovery** to **Yes**.
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager.
+>
> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
+>
> 3. Set **Enable PIN recovery** to **Yes**.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account.
+
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
+
3. In the device configuration profile, select **Assignments**.
+
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments
@@ -104,13 +120,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
#### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
+1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+2. Enter your password and press enter.
+3. Follow the instructions provided by the provisioning process
+4. When finished, unlock your desktop using your newly created PIN.
->[!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+
+> [!NOTE]
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 0ebcd33ec5..4ce58b8818 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
---
title: Remote Desktop
-description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
+description: Learn how Windows Hello for Business supports using biometrics with remote desktop
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 09/16/2020
+ms.date: 02/24/2021
ms.reviewer:
---
@@ -22,10 +22,8 @@ ms.reviewer:
**Requirements**
- Windows 10
-- Certificate trust deployments
-- Hybrid and On-premises Windows Hello for Business deployments
+- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
@@ -35,9 +33,8 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
**Requirements**
-- Hybrid and On-premises Windows Hello for Business deployments
+- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
- Biometric enrollments
- Windows 10, version 1809
@@ -57,7 +54,8 @@ Windows Hello for Business emulates a smart card for application compatibility.
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
-
+> [!div class="mx-imgBorder"]
+> 
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index c5273dc500..1c550a85f6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -396,7 +396,7 @@ Certificate enrollment for Azure AD joined devices occurs over the Internet. As
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
-Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index efeaaacd05..7adb1b0b6d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -20,9 +20,9 @@ ms.reviewer:
# Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to**
-- Windows 10, version 1703 or later
-- Hybrid deployment
-- Key trust
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate Trust
## Directory Synchronization
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index c05de0195e..7ab3353cab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
+
+The following PowerShell command can be used to check all certificates in the NTAuth store:
+
+```powershell
+Certutil -viewstore -enterprise NTAuth
+```
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index a908e96533..2a2c07e715 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -298,7 +298,13 @@ Sign-in the domain controller or administrative workstation with domain administ
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
-6. Close the DNS Management console
+6. Right-click the `domain_name` node and select **New Alias (CNAME)**.
+7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box.
+8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK.
+9. Close the DNS Management console.
+
+> [!NOTE]
+> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix.
## Configure the Intranet Zone to include the federation service
@@ -342,5 +348,3 @@ Before you continue with the deployment, validate your deployment progress by re
3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
new file mode 100644
index 0000000000..174cf0a790
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
new file mode 100644
index 0000000000..028f06544c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
new file mode 100644
index 0000000000..322a4fcbdc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 8a29bb7d81..5c90875208 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -103,6 +103,8 @@
href: hello-cert-trust-policy-settings.md
- name: Managing Windows Hello for Business in your organization
href: hello-manage-in-organization.md
+ - name: Deploying Certificates to Key Trust Users to Enable RDP
+ href: hello-deployment-rdp-certs.md
- name: Windows Hello for Business Features
items:
- name: Conditional Access
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 0637c997cc..d3fb9810b8 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -181,7 +181,7 @@ mstsc.exe /remoteGuard
```
> [!NOTE]
-> The user must be part of administrators group.
+> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer.
## Considerations when using Windows Defender Remote Credential Guard
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index a0330b3425..89a4c83d9b 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+
+ > [!NOTE]
+ > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
@@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
-
+> [!div class="mx-imgBorder"]
+> 
In Intune, you can also include custom XML for third-party plug-in profiles:
-
+> [!div class="mx-imgBorder"]
+> 
## Related topics
@@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles:
-
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
index ff59512a8b..0cf05d9d0d 100644
--- a/windows/security/includes/microsoft-defender.md
+++ b/windows/security/includes/microsoft-defender.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender important guidance
description: A note in regard to important Microsoft Defender guidance.
-ms.date: 09/21/2020
+ms.date:
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -9,3 +9,6 @@ author: dansimp
ms.prod: w10
ms.topic: include
---
+
+> [!IMPORTANT]
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 34008453ad..714d9c0db7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -82,6 +82,9 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems
Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+> [!NOTE]
+> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
+
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index a856063b96..8f6a80ac58 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -32,14 +32,17 @@ Yes.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
-## Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
+## Do I have to suspend BitLocker protection to download and install system updates and upgrades?
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
-- Computer manufacturer firmware updates
-- TPM firmware updates
-- Non-Microsoft application updates that modify boot components
+- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection.
+- Non-Microsoft application updates that modify the UEFI\BIOS configuration.
+- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
+- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
+ - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
+
> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 19f213f47f..9cd06e39f6 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -240,27 +240,27 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
- 
+ 
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
- 
+ 
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
- 
+ 
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
- 
+ 
9. Review the Local Security Policy snap-in to make sure your rule is correct.
@@ -318,11 +318,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
6. On the **Conditions** page, click **Path** and then click **Next**.
- 
+ 
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
- 
+ 
8. On the **Exceptions** page, add any exceptions and then click **Next**.
@@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
-contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
+contoso.sharepoint.com|contoso.visualstudio.com|contoso.onedrive.com,
```
### Protected domains
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 805b02475c..b9f3ed9dd7 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,733 +1,120 @@
# [Threat protection](index.md)
-## [Overview]()
-### [What is Microsoft Defender for Endpoint?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
-### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
-### [What's new in Microsoft Defender for Endpoint](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
-### [Preview features](microsoft-defender-atp/preview.md)
-### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
-### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
-### [Portal overview](microsoft-defender-atp/portal-overview.md)
-### [Microsoft Defender for Endpoint for US Government customers](microsoft-defender-atp/gov.md)
-### [Microsoft Defender for Endpoint for non-Windows platforms](microsoft-defender-atp/non-windows.md)
+## [Next-generation protection with Microsoft Defender Antivirus]()
+### [Microsoft Defender Antivirus overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
+### [Evaluate Microsoft Defender Antivirus](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
-## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
-
-## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
-
-## [Deployment guide]()
-### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
-### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
-### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard]()
-#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
-#### [Deployment rings](microsoft-defender-atp/deployment-rings.md)
-#### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
-#### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
-#### [Onboard supported devices](microsoft-defender-atp/onboard-configure.md)
-
-## [Migration guides](microsoft-defender-atp/migration-guides.md)
-### [Switch from McAfee to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
-### [Switch from Symantec to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
-### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
-### [Manage Microsoft Defender for Endpoint after migration]()
-#### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
-#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
-#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
-#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
-#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
-
-## [Security administration]()
-### [Threat & vulnerability management]()
-#### [Overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-#### [Get started]()
-##### [Permissions & prerequisites](microsoft-defender-atp/tvm-prerequisites.md)
-##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-##### [Assign device value](microsoft-defender-atp/tvm-assign-device-value.md)
-#### [Assess your security posture]()
-##### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
-##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-##### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
-#### [Improve your security posture & reduce risk]()
-##### [Address security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
-##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
-##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
-##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
-##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
-#### [Understand vulnerabilities on your devices]()
-##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
-##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
-##### [Vulnerable devices report](microsoft-defender-atp/tvm-vulnerable-devices-report.md)
-##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md)
-
-
-### [Attack surface reduction]()
-#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
-#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
-
-#### [Attack surface reduction controls]()
-##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
-##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
-##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
-
-#### [Hardware-based isolation]()
-##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
-##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
-
-##### [Application isolation]()
-###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
-###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
-###### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
-###### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
-
-##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-
-#### [Device control]()
-##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
-##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-##### [Device control report](device-control/device-control-report.md)
-
-#### [Exploit protection]()
-##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
-##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
-##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
-##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
-##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md)
-##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
-
-#### [Network protection]()
-##### [Protect your network](microsoft-defender-atp/network-protection.md)
-##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
-
-#### [Web protection]()
-##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
-##### [Web threat protection]()
-###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
-###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
-###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
-##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
-
-#### [Controlled folder access]()
-##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
-##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
-##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
-##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
-
-
-
-#### [Network firewall]()
-##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
-##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-
-
-### [Next-generation protection]()
-#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
-#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
-
-#### [Configure next-generation protection]()
-##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
+### [Configure Microsoft Defender Antivirus]()
+#### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
-##### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
-###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
-###### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
-###### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
-###### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+#### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+##### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
+##### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
+##### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
+##### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
+##### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection]()
-###### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection]()
+##### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
+#### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
-##### [Antivirus compatibility]()
-###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
-###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
+#### [Antivirus compatibility]()
+##### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
+##### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
-##### [Manage next-generation protection in your business]()
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
+#### [Manage Microsoft Defender Antivirus in your business]()
+##### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+##### [Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+##### [Use Group Policy settings to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+##### [Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-##### [Deploy, manage updates, and report on antivirus]()
-###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
-###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
+#### [Deploy, manage updates, and report on Microsoft Defender Antivirus]()
+##### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
+##### [Deploy and enable Microsoft Defender Antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
+##### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
-###### [Report on antivirus protection]()
-###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
-###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+##### [Report on antivirus protection]()
+##### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+##### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
+##### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+##### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+##### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+##### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+##### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+##### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-##### [Customize, initiate, and review the results of scans and remediation]()
-###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+#### [Customize, initiate, and review the results of scans and remediation]()
+##### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
-###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-
-##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-
-##### [Manage scans and remediation]()
-###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
-###### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-
-###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-
+##### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+##### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
+##### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
-#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
+#### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
+
+#### [Manage scans and remediation]()
+##### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+
+##### [Configure and validate exclusions in antivirus scans]()
+##### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+
+##### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+#### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
+##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-### [Microsoft Defender for Endpoint for Mac]()
-#### [Overview of Microsoft Defender for Endpoint for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
-#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
+### [Troubleshoot Microsoft Defender Antivirus]()
+#### [Troubleshoot Microsoft Defender Antivirus issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
+#### [Troubleshoot Microsoft Defender Antivirus migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
+
+## [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+## [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
-#### [Deploy]()
-##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
-##### [JAMF Pro-based deployment]()
-###### [Deploying Microsoft Defender for Endpoint for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md)
-###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md)
-###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md)
-###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md)
-###### [Enroll devices](microsoft-defender-atp/mac-jamfpro-enroll-devices.md)
+## [Hardware-based isolation]()
-##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
-##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
-#### [Update](microsoft-defender-atp/mac-updates.md)
+### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
-#### [Configure]()
-##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
-##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
-##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
-##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
+### [Application isolation]()
+#### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
+#### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
+#### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
+#### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
-#### [Troubleshoot]()
-##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
-##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
-##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
-##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
+### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-#### [Privacy](microsoft-defender-atp/mac-privacy.md)
-#### [Resources](microsoft-defender-atp/mac-resources.md)
-
-
-
-
-### [Microsoft Defender for Endpoint for iOS]()
-#### [Overview of Microsoft Defender for Endpoint for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
-
-#### [Deploy]()
-##### [Deploy Microsoft Defender for Endpoint for iOS via Intune](microsoft-defender-atp/ios-install.md)
-
-#### [Configure]()
-##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
-#### [Privacy](microsoft-defender-atp/ios-privacy.md)
-
-
-### [Microsoft Defender for Endpoint for Linux]()
-#### [Overview of Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
-#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
-#### [Deploy]()
-##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
-##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
-##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
-
-#### [Update](microsoft-defender-atp/linux-updates.md)
-
-
-#### [Configure]()
-##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
-##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
-##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
-##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
-##### [Schedule scans with Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md)
-##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](microsoft-defender-atp/linux-update-MDE-Linux.md)
-
-#### [Troubleshoot]()
-##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
-##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
-##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
-##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md)
-
-
-#### [Privacy](microsoft-defender-atp/linux-privacy.md)
-#### [Resources](microsoft-defender-atp/linux-resources.md)
-
-
-### [Microsoft Defender for Endpoint for Android]()
-#### [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp/microsoft-defender-atp-android.md)
-
-#### [Deploy]()
-##### [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md)
-
-#### [Configure]()
-##### [Configure Microsoft Defender for Endpoint for Android features](microsoft-defender-atp/android-configure.md)
-
-#### [Privacy]()
-##### [Microsoft Defender for Endpoint for Android - Privacy information](microsoft-defender-atp/android-privacy.md)
-
-#### [Troubleshoot]()
-##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md)
-
-
-### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
-
-## [Security operations]()
-
-### [Endpoint detection and response]()
-#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
-#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
-#### [Incidents queue]()
-##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-#### [Alerts queue]()
-##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-##### [Review alerts](microsoft-defender-atp/review-alerts.md)
-##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-##### [Investigate files](microsoft-defender-atp/investigate-files.md)
-##### [Investigate devices](microsoft-defender-atp/investigate-machines.md)
-##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
-##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
-
-#### [Devices list]()
-##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
-##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
-##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
-
-#### [Take response actions]()
-##### [Take response actions on a device]()
-###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
-###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-###### [Start an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-###### [Start a Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
-###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
-###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
-###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Isolate devices from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-devices-from-the-network)
-###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
-
-##### [Take response actions on a file]()
-###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
-###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
-###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
-###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-
-#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
-
-#### [Investigate entities using Live response]()
-##### [Investigate entities on devices](microsoft-defender-atp/live-response.md)
-##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
-
-
-
-#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
-
-#### [Reporting]()
-##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
-
-### [Behavioral blocking and containment]()
-#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
-#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
-#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md)
-#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
-
-### [Automated investigation and response (AIR)]()
-#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
-#### [Automation levels in AIR](microsoft-defender-atp/automation-levels.md)
-#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
-
-### [Advanced hunting]()
-#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-#### [Learn, train, & get examples]()
-##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
-##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
-#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
-#### [Optimize & handle errors]()
-##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-##### [Handle errors](microsoft-defender-atp/advanced-hunting-errors.md)
-##### [Service limits](microsoft-defender-atp/advanced-hunting-limits.md)
-#### [Data schema]()
-##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
-##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
-##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
-##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
-##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
-##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
-##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
-##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
-##### [DeviceFileCertificateInfo](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md)
-##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
-##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
-##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
-##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
-##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
-##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
-##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
-#### [Custom detections]()
-##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
-##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
-
-### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
-
-### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md)
-#### [Read the analyst report](microsoft-defender-atp/threat-analytics-analyst-reports.md)
-
-
-## [How-to]()
-### [Onboard devices to the service]()
-#### [Onboard devices to Microsoft Defender for Endpoint](microsoft-defender-atp/onboard-configure.md)
-#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
-#### [Onboard Windows 10 devices]()
-##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
-##### [Onboard devices using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
-##### [Onboard devices using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
-##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
-##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
-##### [Onboard Windows 10 multi-session devices in Windows Virtual Desktop](microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md)
-
-#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
-#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
-#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
-#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)
-#### [Run simulated attacks on devices](microsoft-defender-atp/attack-simulations.md)
-#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
-#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
-
-#### [Troubleshoot onboarding issues]()
-##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
-##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
-
-### [Manage device configuration]()
-#### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
-#### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
-#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
-#### [Optimize attack surface reduction rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
-
-### [Configure portal settings]()
-#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
-#### [General]()
-##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md)
-##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
-
-#### [Permissions]()
-##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-###### [Create and manage device groups](microsoft-defender-atp/machine-groups.md)
-###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-
-
-#### [Rules]()
-##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Create indicators](microsoft-defender-atp/manage-indicators.md)
-###### [Create indicators for files](microsoft-defender-atp/indicator-file.md)
-###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md)
-###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md)
-###### [Manage indicators](microsoft-defender-atp/indicator-manage.md)
-##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
-##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
-
-#### [Device management]()
-##### [Onboarding devices](microsoft-defender-atp/onboard-configure.md)
-##### [Offboarding devices](microsoft-defender-atp/offboard-machines.md)
-
-#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
-
-### [Configure integration with other Microsoft solutions]()
-#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
-#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-
-### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
-
-### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
-
-## Reference
-### [Management and APIs]()
-#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-#### [Microsoft Defender for Endpoint API]()
-##### [Get started]()
-###### [Microsoft Defender for Endpoint API license and terms](microsoft-defender-atp/api-terms-of-use.md)
-###### [Access the Microsoft Defender for Endpoint APIs](microsoft-defender-atp/apis-intro.md)
-###### [Hello World](microsoft-defender-atp/api-hello-world.md)
-###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
-###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
-###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-
-##### [Microsoft Defender for Endpoint APIs Schema]()
-###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
-###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
-###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
-###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
-
-###### [Alert]()
-####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
-####### [List alerts](microsoft-defender-atp/get-alerts.md)
-####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
-####### [Update Alert](microsoft-defender-atp/update-alert.md)
-####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
-####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
-####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
-####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
-####### [Get alert related device information](microsoft-defender-atp/get-alert-related-machine-info.md)
-####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
-
-###### [Machine]()
-####### [Machine methods and properties](microsoft-defender-atp/machine.md)
-####### [List machines](microsoft-defender-atp/get-machines.md)
-####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
-####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
-####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
-####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
-####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
-####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
-####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
-####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
-####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md)
-####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
-####### [Set device value](microsoft-defender-atp/set-device-value.md)
-
-###### [Machine Action]()
-####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
-####### [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
-####### [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
-####### [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
-####### [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
-####### [Isolate machine](microsoft-defender-atp/isolate-machine.md)
-####### [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
-####### [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
-####### [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
-####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
-####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
-####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
-
-###### [Automated Investigation]()
-####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
-####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
-####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
-####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
-
-###### [Indicators]()
-####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
-####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
-####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md)
-####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
-####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
-
-###### [Domain]()
-####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
-####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
-####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
-
-###### [File]()
-####### [File methods and properties](microsoft-defender-atp/files.md)
-####### [Get file information](microsoft-defender-atp/get-file-information.md)
-####### [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
-####### [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
-####### [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
-
-###### [IP]()
-####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
-####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
-
-###### [User]()
-####### [User methods](microsoft-defender-atp/user.md)
-####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
-####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
-
-###### [Score]()
-####### [Score methods and properties](microsoft-defender-atp/score.md)
-####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
-####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
-
-###### [Software]()
-####### [Software methods and properties](microsoft-defender-atp/software.md)
-####### [List software](microsoft-defender-atp/get-software.md)
-####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
-####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
-####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
-####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
-####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
-
-###### [Vulnerability]()
-####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
-####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
-####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
-####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
-####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
-
-###### [Recommendation]()
-####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
-####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
-####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
-####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
-####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md)
-####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
-
-##### [How to use APIs - Samples]()
-###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
-###### [Power BI](microsoft-defender-atp/api-power-bi.md)
-###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
-
-#### [Raw data streaming API]()
-##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
-##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
-##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
-
-#### [SIEM integration]()
-##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
-##### [Microsoft Defender for Endpoint detection fields](microsoft-defender-atp/api-portal-mapping.md)
-##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
-##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
-##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
-
-#### [Partners & APIs]()
-##### [Partner applications](microsoft-defender-atp/partner-applications.md)
-##### [Connected applications](microsoft-defender-atp/connected-applications.md)
-##### [API explorer](microsoft-defender-atp/api-explorer.md)
-
-#### [Role-based access control]()
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-##### [Create and manage device groups]()
-###### [Using device groups](microsoft-defender-atp/machine-groups.md)
-###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-
-#### [Managed security service provider (MSSP) integration]()
-##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
-##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
-##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
-##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
-##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-
-### [Partner integration scenarios]()
-#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
-#### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
-#### [Become a Microsoft Defender for Endpoint partner](microsoft-defender-atp/get-started-partner-integration.md)
-
-
-### [Integrations]()
-#### [Microsoft Defender for Endpoint integrations](microsoft-defender-atp/threat-protection-integration.md)
-#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
-#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
-
-
-### [Information protection in Windows overview]()
-#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
-
-### [Access the Microsoft Defender for Endpoint Community Center](microsoft-defender-atp/community.md)
-
-### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
-
-
-
-### [Troubleshoot Microsoft Defender for Endpoint]()
-#### [Troubleshoot sensor state]()
-##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
-##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
-##### [Inactive devices](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-devices)
-##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices)
-##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
-
-#### [Troubleshoot Microsoft Defender for Endpoint service issues]()
-##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
-##### [Check service health](microsoft-defender-atp/service-status.md)
-##### [Contact Microsoft Defender for Endpoint support](microsoft-defender-atp/contact-support.md)
-
-
-#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
-
-#### [Collect support logs using LiveAnalyzer ](microsoft-defender-atp/troubleshoot-collect-support-log.md)
-
-#### [Troubleshoot attack surface reduction issues]()
-##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
-##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
-
-#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
-
-
-
-
-
+## [Device control]()
+### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
+### [Control USB devices](device-control/control-usb-devices-using-intune.md)
+### [Device control report](device-control/device-control-report.md)
+## [Network firewall]()
+### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
+### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## [Security intelligence](intelligence/index.md)
### [Understand malware & other threats](intelligence/understanding-malware.md)
@@ -756,6 +143,30 @@
#### [Software developer FAQ](intelligence/developer-faq.md)
#### [Software developer resources](intelligence/developer-resources.md)
+## [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
+### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
+### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
+### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md)
+### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
+### [Account protection](windows-defender-security-center/wdsc-account-protection.md)
+### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
+### [Device security](windows-defender-security-center/wdsc-device-security.md)
+### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
+#### [Family options](windows-defender-security-center/wdsc-family-options.md)
+
+## [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
+### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md)
+### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md)
+
+
+## [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
+### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
+### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
+
+### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+
+
## Windows Certifications
### [FIPS 140 Validations](fips-140-validation.md)
@@ -763,31 +174,6 @@
## More Windows 10 security
-
-### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
-#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
-#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md)
-#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-#### [Account protection](windows-defender-security-center/wdsc-account-protection.md)
-#### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
-#### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
-#### [Device security](windows-defender-security-center/wdsc-device-security.md)
-#### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
-#### [Family options](windows-defender-security-center/wdsc-family-options.md)
-
-
-### [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
-#### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md)
-#### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md)
-
-
-### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
-#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
-#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
-
-### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
@@ -1341,7 +727,3 @@
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
-
-## [Change history for Threat protection](change-history-for-threat-protection.md)
-
-
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 7da7e7d670..ef4138dc66 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -21,6 +21,8 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
+> [!NOTE]
+> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
@@ -61,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
-
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
deleted file mode 100644
index 50746cadf8..0000000000
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)"
-ms.reviewer:
-ms.author: dansimp
-description: This topic lists new and updated topics in the Defender for Endpoint content set.
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: dulcemontemayor
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.localizationpriority: medium
-ms.technology: mde
----
-
-# Change history for threat protection
-This topic lists new and updated topics in the [Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation.
-
-## August 2018
-
-New or changed topic | Description
----------------------|------------
-[Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
-
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
deleted file mode 100644
index d743f3eae6..0000000000
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Memory integrity
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Memory integrity
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
-
-For more information about Windows Security, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index f0f08773af..80d1cc5846 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -18,10 +18,15 @@ ms.technology: mde
---
# Threat Protection
-[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
@@ -51,28 +56,28 @@ ms.technology: mde
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
+**[Threat & vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-- [Get started](microsoft-defender-atp/tvm-prerequisites.md)
-- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md)
-- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md)
-- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md)
+- [Threat & vulnerability management overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
+- [Get started](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)
+- [Access your security posture](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
+- [Improve your security posture and reduce risk](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
+- [Understand vulnerabilities on your devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)
-**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
+**[Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
-- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md)
-- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+- [Exploit protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)
+- [Network protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection), [web protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview)
+- [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
+- [Attack surface reduction rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction)
@@ -87,48 +92,51 @@ To further reinforce the security perimeter of your network, Microsoft Defender
-**[Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)**
+**[Endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
-- [Alerts](microsoft-defender-atp/alerts-queue.md)
-- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline)
+- [Alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/alerts-queue)
+- [Historical endpoint data](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
- [Response orchestration](microsoft-defender-atp/response-actions.md)
-- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
-- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md)
-- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md)
- - [Custom detections](microsoft-defender-atp/overview-custom-detections.md)
+- [Forensic collection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+- [Threat intelligence](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
+- [Advanced detonation and analysis service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
+- [Advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
+ - [Custom detections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-custom-detections)
-**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+**[Automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)**
+In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
-- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
-- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
+- [Get an overview of automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)
+- [Learn about automation levels](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels)
+- [Configure automated investigation and remediation in Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
+- [Visit the Action center to see remediation actions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
+- [Review remediation actions following an automated investigation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-auto-investigation)
+- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
-**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
+**[Microsoft Threat Experts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
-- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
-- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
-- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+- [Targeted attack notification](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Experts-on-demand](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Configure your Microsoft 365 Defender managed hunting service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
-**[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
+**[Centralized configuration and administration, APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis)**
Integrate Microsoft Defender for Endpoint into your existing workflows.
-- [Onboarding](microsoft-defender-atp/onboard-configure.md)
-- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
-- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
-- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
-- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md)
+- [Onboarding](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)
+- [API and SIEM integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-siem)
+- [Exposed APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro)
+- [Role-based access control (RBAC)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/rbac)
+- [Reporting and trends](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-reports)
-**[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
+**[Integration with Microsoft solutions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration)**
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Intune
- Microsoft Defender for Office 365
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 869519e673..0c75b48120 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -172,7 +172,7 @@ Microsoft uses specific categories and the category definitions to classify soft
* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
-* **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
+* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 45f1877661..03eb9157aa 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -94,7 +94,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
-* [Controlled folder access](../microsoft-defender-atp/enable-controlled-folders.md) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
@@ -108,7 +108,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
-* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
+* [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
* [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 851d1f8c50..77e6f67c32 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -62,6 +62,6 @@ We recommend:
* Educate your employees so they can identify social engineering and spear-phishing attacks.
-* [Controlled folder access](../microsoft-defender-atp/controlled-folders.md). It can stop ransomware from encrypting files and holding the files for ransom.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index a9c1588361..c2e32ce5d1 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -39,12 +39,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
## System requirements
-Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
+Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
1. Download this tool and open it.
-2. Select the type of scan you want run and start the scan.
+2. Select the type of scan that you want to run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 09dc088c59..34fc1933f8 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -25,14 +25,14 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
A script can help you with an alternative to MBSA’s patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
-For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
+For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
-The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
## More Information
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 53cc0585bb..1d3f01234e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index db2a7a7f8e..6ed065117c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 04a84573cc..8ab6bc321a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
-ms.date: 08/17/2020
+ms.date: 03/19/2021
ms.technology: mde
---
@@ -23,14 +23,13 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
+You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
-> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
->
-> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
@@ -76,7 +75,9 @@ MpCmdRun.exe -Scan -ScanType 2
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-## Related topics
+## See also
+- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index 060cddd476..3c463a5169 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can manage and configure Microsoft Defender Antivirus with the following tools:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 7782d63b95..bf309eba5d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Use Microsoft Intune to configure scanning options
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 801001d7ef..96b78f6e1c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index fc9ab62d48..6fc2a16ea3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index 91d207c1bc..a9d1ba4f3b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index beb6882a8b..1f020f0372 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index 49091cb89b..fa58bbf100 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -22,15 +22,17 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md).
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
## Exclusion lists
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+**Note**: Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
+
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 4b69f181b0..c9e9e785d1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index 6185228b0b..07bd54a1a4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can configure Microsoft Defender Antivirus with a number of tools, including:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index f00a35da1f..c4ecf2347a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
@@ -41,16 +41,16 @@ See the blog post [Important changes to Microsoft Active Protection Services end
## Allow connections to the Microsoft Defender Antivirus cloud service
-The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it's called a cloud service, it's not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
@@ -60,14 +60,14 @@ The table below lists the services and their associated URLs. Make sure that the
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
| Microsoft Update Service (MU)
Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
`*.delivery.mp.microsoft.com`
`*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus2eastprod.blob.core.windows.net`
`ussus3eastprod.blob.core.windows.net`
`ussus4eastprod.blob.core.windows.net`
`wsus1eastprod.blob.core.windows.net`
`wsus2eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`ussus2westprod.blob.core.windows.net`
`ussus3westprod.blob.core.windows.net`
`ussus4westprod.blob.core.windows.net`
`wsus1westprod.blob.core.windows.net`
`wsus2westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`wseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`wseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`wsuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`wsuk1westprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
-After allowing the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
+After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
@@ -84,24 +84,24 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun
**Attempt to download a fake malware file from Microsoft:**
-You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud.
+You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
>[!NOTE]
->This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+>This file is not an actual piece of malware. It's a fake file that is designed to test if you're properly connected to the cloud.
-If you are properly connected, you will see a warning Microsoft Defender Antivirus notification.
+If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
-If you are using Microsoft Edge, you'll also see a notification message:
+If you're using Microsoft Edge, you'll also see a notification message:
-A similar message occurs if you are using Internet Explorer:
+A similar message occurs if you're using Internet Explorer:
-You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
+You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index 1660b6284e..0b1a46fded 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index 52641f673b..94b265a644 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 12fa08755b..f10ed3e4fb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus uses several methods to provide threat protection:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 63abc5021b..d60c180cfa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index 95cd08db31..649147511a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Remediate and resolve infections detected by Microsoft Defender Antivirus
+title: Configure remediation for Microsoft Defender Antivirus detections
description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
@@ -11,47 +11,45 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 01/06/2021
+ms.date: 03/16/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
---
-# Configure remediation for Microsoft Defender Antivirus scans
+# Configure remediation for Microsoft Defender Antivirus detections
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
+When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
-This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings.
+You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) to configure these settings.
## Configure remediation options
-You can configure how remediation works with the Group Policy settings described in this section.
-
-To configure these settings:
-
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
-4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
+4. Using the table below, select a location, and then edit the policy as needed.
+
+5. Select **OK**.
|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
-|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed |
+|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | 90 days |
|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
@@ -64,7 +62,7 @@ To configure these settings:
Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
-## Related topics
+## See also
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index 75911ebb62..ce00979c0f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -1,8 +1,8 @@
---
-title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019
+title: Configure Microsoft Defender Antivirus exclusions on Windows Server
ms.reviewer:
manager: dansimp
-description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
+description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
@@ -14,6 +14,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.technology: mde
+ms.date: 02/10/2021
---
# Configure Microsoft Defender Antivirus exclusions on Windows Server
@@ -22,10 +23,9 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
+Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
@@ -36,33 +36,29 @@ In addition to server role-defined automatic exclusions, you can add or remove c
## A few points to keep in mind
+Keep the following important points in mind:
+
- Custom exclusions take precedence over automatic exclusions.
-
- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
-
- Custom and duplicate exclusions do not conflict with automatic exclusions.
-
- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
-In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
@@ -73,11 +69,12 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true
```
-[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+To learn more, see the following resources:
-[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
@@ -96,54 +93,42 @@ The following sections contain the exclusions that are delivered with automatic
This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
+> [!NOTE]
+> The default locations could be different than what's listed in this article.
+
#### Windows "temp.edb" files
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
-
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
-
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
-
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
-
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
-
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files
- `%windir%\Security\database\*.chk`
-
- `%windir%\Security\database\*.edb`
-
- `%windir%\Security\database\*.jrs`
-
- `%windir%\Security\database\*.log`
-
- `%windir%\Security\database\*.sdb`
#### Group Policy files
- `%allusersprofile%\NTUser.pol`
-
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
-
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files
- `%systemroot%\System32\Wins\*\*.chk`
-
- `%systemroot%\System32\Wins\*\*.log`
-
- `%systemroot%\System32\Wins\*\*.mdb`
-
- `%systemroot%\System32\LogFiles\`
-
- `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions
@@ -151,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- `%windir%\Ntfrs\jet\sys\*\edb.chk`
-
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
-
- `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
@@ -174,33 +157,21 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- `%systemdrive%\System Volume Information\DFSR\$db_normal$`
-
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
-
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
-
- `%systemdrive%\System Volume Information\DFSR\*.XML`
-
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
-
- `%systemdrive%\System Volume Information\DFSR\$db_clean$`
-
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
-
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
-
- `%systemdrive%\System Volume Information\DFSR\*.frx`
-
- `%systemdrive%\System Volume Information\DFSR\*.log`
-
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
-
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions
- `%systemroot%\System32\dfsr.exe`
-
- `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions
@@ -214,23 +185,16 @@ The following table lists the file type exclusions, folder exclusions, and proce
#### SYSVOL files
- `%systemroot%\Sysvol\Domain\*.adm`
-
- `%systemroot%\Sysvol\Domain\*.admx`
-
- `%systemroot%\Sysvol\Domain\*.adml`
-
- `%systemroot%\Sysvol\Domain\Registry.pol`
-
- `%systemroot%\Sysvol\Domain\*.aas`
-
- `%systemroot%\Sysvol\Domain\*.inf`
-
-- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
-
+- `%systemroot%\Sysvol\Domain\*Scripts.ini`
- `%systemroot%\Sysvol\Domain\*.ins`
-
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
+
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
@@ -240,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- `%windir%\Ntds\ntds.dit`
-
- `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files
@@ -248,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- `%windir%\Ntds\EDB*.log`
-
- `%windir%\Ntds\Res*.log`
-
- `%windir%\Ntds\Edb*.jrs`
-
- `%windir%\Ntds\Ntds*.pat`
-
- `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder
@@ -262,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- `%windir%\Ntds\Temp.edb`
-
- `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe`
-
- `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions
@@ -276,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- `%systemroot%\System32\DHCP\*\*.mdb`
-
- `%systemroot%\System32\DHCP\*\*.pat`
-
- `%systemroot%\System32\DHCP\*\*.log`
-
- `%systemroot%\System32\DHCP\*\*.chk`
-
- `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions
@@ -292,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log`
-
- `%systemroot%\System32\Dns\*\*.dns`
-
- `%systemroot%\System32\Dns\*\*.scc`
-
- `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role
@@ -308,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- `%SystemDrive%\ClusterStorage`
-
- `%clusterserviceaccount%\Local Settings\Temp`
-
- `%SystemDrive%\mscs`
### Print Server exclusions
@@ -320,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions
- `*.shd`
-
- `*.spl`
#### Folder exclusions
@@ -340,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
-
- `%systemDrive%\inetpub\logs`
-
- `%systemDrive%\inetpub\wwwroot`
#### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe`
-
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
-
- `%SystemDrive%\PHP5433\php-cgi.exe`
+#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
+
+The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
+
+- `%systemroot%\Sysvol\Domain`
+- `%systemroot%\Sysvol_DFSR\Domain`
+
+The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
+
+Exclude the following files from this folder and all its subfolders:
+
+- `*.adm`
+- `*.admx`
+- `*.adml`
+- `Registry.pol`
+- `Registry.tmp`
+- `*.aas`
+- `*.inf`
+- `Scripts.ini`
+- `*.ins`
+- `Oscfilter.ini`
+
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- `%systemroot%\WSUS\WSUSContent`
-
- `%systemroot%\WSUS\UpdateServicesDBFiles`
-
- `%systemroot%\SoftwareDistribution\Datastore`
-
- `%systemroot%\SoftwareDistribution\Download`
-## Related articles
+## See also
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index 10b6622a43..142404566a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index a2a610032c..0fdf549b5e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index 01a88d64d7..c5543f30ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index c27135a1f6..38beb9a21f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index ef143bfe39..3f58a55cf2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index f56820cf7f..5db7a67597 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -6,12 +6,12 @@ search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: detect
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: high
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date: 02/03/2021
+ms.date: 03/10/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
> [!NOTE]
@@ -41,9 +41,7 @@ Here are some examples:
> [!TIP]
> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
-Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up.
-
-PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.
+Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.
## Microsoft Edge
@@ -64,11 +62,9 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
-Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
-Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
-[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
+Security admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
## Microsoft Defender Antivirus
@@ -77,9 +73,7 @@ The potentially unwanted application (PUA) protection feature in Microsoft Defen
> [!NOTE]
> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.
-Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
-
-When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
+Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
@@ -112,13 +106,21 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
#### Use Group Policy to configure PUA protection
1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
+
2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
3. Select the Group Policy Object you want to configure, and then choose **Edit**.
+
4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
+
5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
+
6. Double-click **Configure detection for potentially unwanted applications**.
+
7. Select **Enabled** to enable PUA protection.
+
8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
+
9. Deploy your Group Policy object as you usually do.
#### Use PowerShell cmdlets to configure PUA protection
@@ -151,7 +153,7 @@ Setting the value for this cmdlet to `Disabled` turns the feature off if it has
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-### View PUA events
+## View PUA events
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
@@ -174,11 +176,11 @@ You can turn on email notifications to receive mail about PUA detections.
See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
-### Allow-listing apps
+## Excluding files
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.
-For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions).
+For more information, see [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
## See also
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 483ca94393..50a4a72090 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index e56c78b8f3..66772cfa88 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png
new file mode 100644
index 0000000000..f7fa41a4ac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 0e6a552e4c..7140c5d055 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -25,7 +25,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index 8dc17adfac..74ef6bcfea 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 668830b824..39cd346198 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index 494811e6e8..f7570bbf51 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus lets you determine when it should look for and download updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index acd96cc68b..fb8bee0025 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22154037)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 0d5c3a2ccf..4fd8f01ece 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 02/04/2021
+ms.date: 03/19/2021
ms.technology: mde
---
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
@@ -35,7 +35,7 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
>
-> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
## Security intelligence updates
@@ -48,7 +48,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
+For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
@@ -78,11 +78,28 @@ All our updates contain
January-2021 (Platform: 4.18.2101.8 | Engine: 1.1.17800.5)
+ February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)
+
+ Security intelligence update version: **1.333.7.0**
+ Released: **March 9, 2021**
+ Platform: **4.19.2102.3**
+ Engine: **1.1.17900.7**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+- Extend tamper protection scope
+
+### Known Issues
+No known issues
+
+ January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)
Security intelligence update version: **1.327.1854.0**
Released: **February 2, 2021**
- Platform: **4.18.2101.8**
+ Platform: **4.18.2101.9**
Engine: **1.1.17800.5**
Support phase: **Security and Critical Updates**
@@ -93,6 +110,7 @@ All our updates contain
- Increased visibility for credential stealing attempts
- Improvements in antitampering features in Microsoft Defender Antivirus services
- Improved support for ARM x64 emulation
+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
### Known Issues
No known issues
@@ -113,7 +131,13 @@ No known issues
### Known Issues
No known issues
-
+ October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)
Security intelligence update version: **1.327.7.0**
@@ -133,20 +157,14 @@ No known issues
No known issues
-
- September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)
Security intelligence update version: **1.325.10.0**
Released: **October 01, 2020**
Platform: **4.18.2009.7**
Engine: **1.1.17500.4**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade support (only)**
### What's new
@@ -172,7 +190,8 @@ No known issues
Released: **August 27, 2020**
Platform: **4.18.2008.9**
Engine: **1.1.17400.5**
-
+ Support phase: **Technical upgrade support (only)**
+
### What's new
- Add more telemetry events
@@ -332,7 +351,7 @@ Engine: **1.1.16700.2**
- Fixed BSOD on WS2016 with Exchange
- Support platform updates when TMP is redirected to network path
-- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
+- Platform and engine versions are added to [WDSI](https://www.microsoft.com/en-us/wdsi/defenderupdates)
- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
- Fix 4.18.1911.3 hang
@@ -388,7 +407,7 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
|Windows 10 release |Platform version |Engine version |Support phase |
|:---|:---|:---|:---|
-|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) |
+|2004 (20H1/20H2) |4.18.1909.6 |1.1.17000.2 | Technical upgrade support (only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
@@ -406,6 +425,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
1.1.2103.01
+
+ Package version: **1.1.2103.01**
+ Platform version: **4.18.2101.9**
+ Engine version: **1.17800.5**
+ Signature version: **1.331.2302.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2102.03
Package version: **1.1.2102.03**
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index 8f192cc64b..27e095d876 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 20419165db..03123a1dcc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
-ms.date: 01/27/2021
+ms.date: 02/09/2021
ms.technology: mde
---
@@ -23,14 +23,14 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Overview
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
+- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
## Antivirus and Microsoft Defender for Endpoint
@@ -43,8 +43,8 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode |
| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode [[1](#fn1)] |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually) [[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) [[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
@@ -56,12 +56,12 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: `ForceDefenderPassiveMode`
+- Name: `ForcePassiveMode`
- Type: `REG_DWORD`
- Value: `1`
> [!NOTE]
-> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016.
+> The `ForcePassiveMode` registry key is not supported on Windows Server 2016.
(2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
@@ -102,15 +102,15 @@ The table in this section summarizes the functionality and features that are ava
- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+- When [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
-- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/defender-compatibility) in order to properly monitor your devices and network for intrusion attempts and attacks.
- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
-- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware.
+- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. For optimal security layered defense and detection efficacy, please ensure that you update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine and Platform)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) even if Microsoft Defender Antivirus is running in passive mode.
If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
@@ -122,7 +122,7 @@ The table in this section summarizes the functionality and features that are ava
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
-- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
+- [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode)
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index 63a22fd4f7..0c2b8d058a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Microsoft Defender Antivirus: Your next-generation protection
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 0f1c9bbc2f..3404f99585 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -22,7 +22,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
- Windows Server 2019
@@ -177,7 +177,7 @@ If you are using a non-Microsoft antivirus product as your primary antivirus sol
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: `ForceDefenderPassiveMode`
+- Name: `ForcePassiveMode`
- Type: `REG_DWORD`
- Value: `1`
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index b22545f7af..a63d9f70b3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 427ebf59db..10efa22a65 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -23,33 +23,31 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
->
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
-> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
>
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed.
> This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
-The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
## Review virus and threat protection settings in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
## Comparison of settings and functions of the old app and the new app
All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
@@ -58,15 +56,16 @@ The following diagrams compare the location of settings and functions between th
-
+> [!div class="mx-imgBorder"]
+> 
-Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description
----|---|---|---
-1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence)
-2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
-3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
-4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan
-5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
+| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description |
+|:---|:---|:---|:---|
+| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) |
+| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed |
+| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission |
+| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan |
+| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option |
## Common tasks
@@ -81,40 +80,39 @@ This section describes how to perform some of the most common tasks when reviewi
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Click **Scan now**.
+3. Select **Scan now**.
-4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
+4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan.
### Review the security intelligence update version and download the latest updates in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
- 
-
-4. Click **Check for updates** to download new protection updates (if there are any).
+4. Select **Check for updates** to download new protection updates (if there are any).
### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Click **Virus & threat protection settings**.
+3. Select **Virus & threat protection settings**.
4. Toggle the **Real-time protection** switch to **On**.
> [!NOTE]
> If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- >
- > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
+ > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
@@ -122,13 +120,14 @@ This section describes how to perform some of the most common tasks when reviewi
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Click **Virus & threat protection settings**.
+3. Under the **Manage settings**, select **Virus & threat protection settings**.
-4. Under the **Exclusions** setting, click **Add or remove exclusions**.
+4. Under the **Exclusions** setting, select **Add or remove exclusions**.
+
+5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
-5. Click the plus icon to choose the type and set the options for each exclusion.
The following table summarizes exclusion types and what happens:
@@ -140,19 +139,19 @@ The following table summarizes exclusion types and what happens:
|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
+To learn more, see the following resources:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
- 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
- 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
- 3. Click **Threat history**
-
- 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Select **Threat history**
+
+4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
@@ -160,14 +159,13 @@ To learn more, see:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Click **Ransomware protection**.
+3. Select **Ransomware protection**.
-4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard).
+4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders).
-5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## Related articles
+5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
+## See also
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 7f35ddf666..5f2be1828e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -25,7 +25,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- Microsoft Defender Antivirus
- Microsoft 365
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 4a620da214..e77818c9df 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 01/07/2021
+ms.date: 03/22/2021
ms.technology: mde
---
@@ -25,12 +25,14 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+Tamper protection is available for devices that are running one of the following versions of Windows:
-Tamper protection is available on devices running the following versions of Windows:
-
- Windows 10
-- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
+- Windows Server 2019
+- Windows Server, version 1803 or later
+- Windows Server 2016
## Overview
@@ -49,80 +51,98 @@ With tamper protection, malicious apps are prevented from taking actions such as
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
-- Configuring settings in Registry Editor on your Windows machine
+- Configuring settings in Registry Editor on your Windows device
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
-Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team.
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
### What do you want to do?
-1. Turn tamper protection on
- - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine).
- - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
- - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006)
+| To perform this task... | See this section... |
+|:---|:---|
+| Turn tamper protection on (or off) in the Microsoft Defender Security Center
+1. Set up tenant attach. To get help with this, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
- In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
-
- In the **Profile** list, select **Windows Security experience (preview)**.
-
- The following screenshot illustrates how to create your policy:
-
- :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager":::
3. Deploy the policy to your device collection.
-Need help? See the following resources:
+### Need help with this method?
+
+See the following resources:
- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings)
-
- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
+## Manage tamper protection on an individual device
+
+> [!NOTE]
+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
+>
+> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once you’ve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.
+
+Here's what you see in the Windows Security app:
+
+
+
+1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
+
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+
+3. Set **Tamper Protection** to **On** or **Off**.
+
+
## View information about tampering attempts
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
@@ -180,13 +219,13 @@ In the results, you can select **Turn on Tamper Protection** to learn more and t
-To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
+To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
## Frequently asked questions
### To which Windows OS versions is configuring tamper protection is applicable?
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
@@ -200,13 +239,13 @@ Devices that are onboarded to Microsoft Defender for Endpoint will have Microsof
### How can I turn tamper protection on/off?
-If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
-If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
+If you are an organization using [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
-- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
-
-- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)
+- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune)
+- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview)
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
@@ -218,11 +257,13 @@ Configuring tamper protection in Intune or Microsoft Endpoint Manager can be tar
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
-If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin).
+If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:
+- [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
@@ -240,7 +281,7 @@ If a device is off-boarded from Microsoft Defender for Endpoint, tamper protecti
Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
-In addition, your security operations team can use hunting queries, such as the following example:
+Your security operations team can also use hunting queries, such as the following example:
`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
@@ -250,6 +291,6 @@ In addition, your security operations team can use hunting queries, such as the
[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+[Get an overview of Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 93d033b274..9505edb6c6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index f6c46b93b9..63b1cef153 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index e3f5c1f0fe..3aee622427 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index 4168fb1d63..82de267b72 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index 5a65b6a165..b9d6853c2a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index ce888c039c..d3af9f6b9d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index 1e4c37caba..e65babbf90 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
index d0c2933ef9..aed5140af3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@@ -22,7 +22,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
@@ -123,7 +123,7 @@ Microsoft Defender Antivirus will automatically turn on if no other antivirus is
> [!WARNING]
> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
-Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index b65212267f..6d48b38885 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 0b3b787b77..4ec6d05d04 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!IMPORTANT]
> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index b3383fd1a6..decb62a445 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index 75f4f1b7cc..dcd08baa99 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 078fbf7fab..dc441c48cf 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 92f746d03d..bfcce9630c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -24,7 +24,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index 5bc184057b..88cba327be 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index bf55abf1c4..5f4d1c7ced 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -24,34 +24,34 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
-Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender for Endpoint).
+Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (Microsoft Defender for Endpoint).
-Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations), you get better protection that's coordinated across products and services.
## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
-| |Advantage |Why it matters |
+|# |Advantage |Why it matters |
|--|--|--|
|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
-|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
-|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md).|
+|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-analytics) and [Microsoft Secure Score for Devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/evaluate-mde).|
|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).|
-|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
-|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
-|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
-|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.) |
|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
|10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
+|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/troubleshoot-mde) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
## Learn more
-[Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
-[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+[Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index bbab8b350a..6eddda97d7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -18,7 +18,7 @@ ms.technology: mde
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 919fc5c18b..e63bfdaf57 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -18,7 +18,7 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Review system requirements
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 0c7e53c3fb..89dc438cda 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
deleted file mode 100644
index 3abe07fc71..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-title: Onboard Windows 10 multi-session devices in Windows Virtual Desktop
-description: Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop
-keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.topic: article
-author: dansimp
-ms.author: dansimp
-ms.custom: nextgen
-ms.date: 02/04/2021
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Onboard Windows 10 multi-session devices in Windows Virtual Desktop
-
-Applies to:
-- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
-
-Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
-
- ## Before you begin
-Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
-
-> [!NOTE]
-> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either:
-> - Single entry for each virtual desktop
-> - Multiple entries for each virtual desktop
-
-Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
-
-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
-
-> [!NOTE]
-> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
-
-## Scenarios
-There are several ways to onboard a WVD host machine:
-
-- Run the script in the golden image (or from a shared location) during startup.
-- Use a management tool to run the script.
-
-### Scenario 1: Using local group policy
-This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
-
-Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
-
-Follow the instructions for a single entry for each device.
-
-### Scenario 2: Using domain group policy
-This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
-
-#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
-1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- - Select Windows 10 as the operating system.
- - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
- - Click **Download package** and save the .zip file.
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
-
-#### Use Group Policy management console to run the script when the virtual machine starts
-1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
-1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
-1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field.
-Enter the following:
-
-> Action = "Start a program"
-> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
-> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"
-
-Click **OK** and close any open GPMC windows.
-
-### Scenario 3: Onboarding using management tools
-
-If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
-
-For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
-
-> [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
-
-## Tagging your machines when building your image
-
-As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
-[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value).
-
-## Other recommended configuration settings
-
-When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
-
-In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
-
-### Exclude Files
-
-> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
-> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
-> %ProgramFiles%\FSLogix\Apps\frxccd.sys
-> %TEMP%\*.VHD
-> %TEMP%\*.VHDX
-> %Windir%\TEMP\*.VHD
-> %Windir%\TEMP\*.VHDX
-> \\storageaccount.file.core.windows.net\share\*\*.VHD
-> \\storageaccount.file.core.windows.net\share\*\*.VHDX
-
-### Exclude Processes
-
-> %ProgramFiles%\FSLogix\Apps\frxccd.exe
-> %ProgramFiles%\FSLogix\Apps\frxccds.exe
-> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
-
-## Licensing requirements
-
-Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
deleted file mode 100644
index c2ef3ab727..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Access the Microsoft Defender Security Center MSSP customer portal
-description: Access the Microsoft Defender Security Center MSSP customer portal
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Access the Microsoft Defender Security Center MSSP customer portal
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-
-
->[!NOTE]
->These set of steps are directed towards the MSSP.
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
-
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials.
-
-2. Switch directory to the MSSP customer's tenant.
-
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
deleted file mode 100644
index 2a992e5e4f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Add or Remove Machine Tags API
-description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, tags, machine tags
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Add or Remove Machine Tags API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-
-Adds or remove tag to a specific [Machine](machine.md).
-
-## Limitations
-
-1. You can post on machines last seen according to your configured retention period.
-
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->
->- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Value | String | The tag name. **Required**.
-Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
-
-
-## Response
-
-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
-
-## Example
-
-**Request**
-
-Here is an example of a request that adds machine tag.
-
-```
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
-```
-
-```json
-{
- "Value" : "test Tag 2",
- "Action": "Add"
-}
-```
-
-- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
deleted file mode 100644
index 20f0d4f434..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ /dev/null
@@ -1,211 +0,0 @@
----
-title: Configure advanced features in Microsoft Defender ATP
-description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection.
-keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure advanced features in Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
-
-Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
-
-Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
-
-## Automated investigation
-
-Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
-
-## Live response
-
-Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
-
-For more information about role assignments, see [Create and manage roles](user-roles.md).
-
-## Live response for servers
-Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
-
-For more information about role assignments, see [Create and manage roles](user-roles.md).
-
-
-## Live response unsigned script execution
-
-Enabling this feature allows you to run unsigned scripts in a live response session.
-
-## Autoresolve remediated alerts
-
-For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
-
->[!TIP]
->For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
-
->[!NOTE]
->
->- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-
-## Allow or block file
-
-Blocking is only available if your organization fulfills these requirements:
-
-- Uses Microsoft Defender Antivirus as the active antimalware solution and,
-- The cloud-based protection feature is enabled
-
-This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization.
-
-To turn **Allow or block** files on:
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
-
-1. Toggle the setting between **On** and **Off**.
-
- 
-
-1. Select **Save preferences** at the bottom of the page.
-
-After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
-
-## Custom network indicators
-
-Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
-
-To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
-
-For more information, see [Manage indicators](manage-indicators.md).
-
->[!NOTE]
->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data.
-
-## Show user details
-
-Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
-
-- Security operations dashboard
-- Alert queue
-- Device details page
-
-For more information, see [Investigate a user account](investigate-user.md).
-
-## Skype for Business integration
-
-Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
-
->[!NOTE]
-> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
-
-## Azure Advanced Threat Protection integration
-
-The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
-
-## Microsoft Secure Score
-
-Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
-
-### Enable the Defender for Endpoint integration from the Azure ATP portal
-
-To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
-
-1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
-
-2. Click **Create your instance**.
-
-3. Toggle the Integration setting to **On** and click **Save**.
-
-After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
-
-## Office 365 Threat Intelligence connection
-
-This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-
-When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
-
-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
-
-## Microsoft Threat Experts
-
-Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it.
-
->[!NOTE]
->The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
-
-## Microsoft Cloud App Security
-
-Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
-
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
-
-## Azure Information Protection
-
-Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
-
-## Microsoft Intune connection
-
-Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
-
->[!IMPORTANT]
->You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
-
-This feature is only available if you have the following:
-
-- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
-- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
-
-### Conditional Access policy
-
-When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
-
->[!NOTE]
-> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
-
-
-## Preview features
-
-Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
-
-You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
-
-## Share endpoint alerts with Microsoft Compliance Center
-
-Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
-
-After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
-
-## Enable advanced features
-
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
-2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
-3. Click **Save preferences**.
-
-## Related topics
-
-- [Update data retention settings](data-retention-settings.md)
-- [Configure alert notifications](configure-email-notifications.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
deleted file mode 100644
index 276a068e26..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
-description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/20/2020
-ms.technology: mde
----
-
-# AssignedIPAddresses()
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
-
-This function returns a table with the following columns:
-
-Column | Data type | Description
--|-|-
-`Timestamp` | datetime | Latest time when the device was observed using the IP address
-`IPAddress` | string | IP address used by the device
-`IPType` | string | Indicates whether the IP address is a public or private address
-`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
-`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
-
-## Syntax
-
-```kusto
-AssignedIPAddresses(x, y)
-```
-
-## Arguments
-
-- **x**—`DeviceId` or `DeviceName` value identifying the device
-- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
-
-## Examples
-
-### Get the list of IP addresses used by a device 24 hours ago
-
-```kusto
-AssignedIPAddresses('example-device-name', ago(1d))
-```
-
-### Get IP addresses used by a device and find devices communicating with it
-
-This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices.
-
-```kusto
-let Date = datetime(example-date);
-let DeviceName = "example-device-name";
-// List IP addresses used on or before the specified date
-AssignedIPAddresses(DeviceName, Date)
-| project DeviceName, IPAddress, AssignedTime = Timestamp
-// Get all network events on devices with the assigned IP addresses as the destination addresses
-| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
-// Get only network events around the time the IP address was assigned
-| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
-```
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
deleted file mode 100644
index a7e13d3cdf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: Query best practices for advanced hunting
-description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: m365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Advanced hunting query best practices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
-
-## Optimize query performance
-
-Apply these recommendations to get results faster and avoid timeouts while running complex queries.
-
-- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
-- Use time filters first. Ideally, limit your queries to seven days.
-- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
-- Use the `has` operator over `contains` when looking for full tokens.
-- Look in a specific column rather than running full text searches across all columns.
-- When joining tables, specify the table with fewer rows first.
-- `project` only the necessary columns from tables you've joined.
-
->[!TIP]
->For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
-
-## Query tips and pitfalls
-
-### Queries with process IDs
-
-Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
-
-The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
-
-```kusto
-DeviceNetworkEvents
-| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
-| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
-| where RemoteIPCount > 10
-```
-
-The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
-
-### Queries with command lines
-
-Command lines can vary. When applicable, filter on file names and do fuzzy matching.
-
-There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
-
-To create more durable queries using command lines, apply the following practices:
-
-- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
-- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
-- Use case insensitive matches. For example, use `=~`, `in~`, and `contains` instead of `==`, `in` and `contains_cs`
-- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
-
-The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
-
-```kusto
-// Non-durable query - do not use
-DeviceProcessEvents
-| where ProcessCommandLine == "net stop MpsSvc"
-| limit 10
-
-// Better query - filters on filename, does case-insensitive matches
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
-
-// Best query also ignores quotes
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
-| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
-| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
-```
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
deleted file mode 100644
index 3c5026b44c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: DeviceAlertEvents table in the advanced hunting schema
-description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/22/2020
-ms.technology: mde
----
-
-# DeviceAlertEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `AlertId` | string | Unique identifier for the alert |
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| `Category` | string | Type of threat indicator or breach activity identified by the alert |
-| `Title` | string | Title of the alert |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `Table` | string | Table that contains the details of the event |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
deleted file mode 100644
index 33c2baedda..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: DeviceEvents table in the advanced hunting schema
-description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` |string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
deleted file mode 100644
index f939a66576..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: DeviceFileCertificateInfo table in the advanced hunting schema
-description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/14/2020
-ms.technology: mde
----
-
-# DeviceFileCertificateInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `IsSigned` | boolean | Indicates whether the file is signed |
-| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
-| `Signer` | string | Information about the signer of the file |
-| `SignerHash` | string | Unique hash value identifying the signer |
-| `Issuer` | string | Information about the issuing certificate authority (CA) |
-| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
-| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
-| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
-| `CertificateCreationTime` | datetime | Date and time the certificate was created |
-| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
-| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
-| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
-| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
-
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
deleted file mode 100644
index f7a83b8132..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: DeviceFileEvents table in the advanced hunting schema
-description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceFileEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
-| `ShareName` | string | Name of shared folder containing the file |
-| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
-| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
-| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
-| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
-| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
-| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
deleted file mode 100644
index 5d5663f9e9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: DeviceImageLoadEvents table in the advanced hunting schema
-description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceImageLoadEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
deleted file mode 100644
index 47e3f44b7e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: DeviceInfo table in the advanced hunting schema
-description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device |
-| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
-| `OSBuild` | string | Build version of the operating system running on the device |
-| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory |
-| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format |
-| `RegistryDeviceTag` | string | Device tag added through the registry |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
deleted file mode 100644
index e9062bbd6b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: DeviceLogonEvents table in the advanced hunting schema
-description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceLogonEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
-
-> [!NOTE]
-> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
-> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string |Type of activity that triggered the event |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonType` | string | Type of logon session, specifically:
- **Interactive** - User physically interacts with the device using the local keyboard and screen
- **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients
- **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed
- **Batch** - Session initiated by scheduled tasks
- **Service** - Session initiated by services as they start
|
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
deleted file mode 100644
index 5bbce755a3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: DeviceNetworkEvents table in the advanced hunting schema
-description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceNetworkEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `Protocol` | string | IP protocol used, whether TCP or UDP |
-| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
deleted file mode 100644
index 2b9b626fb5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: DeviceNetworkInfo table in the advanced hunting schema
-description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceNetworkInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `NetworkAdapterName` | string | Name of the network adapter |
-| `MacAddress` | string | MAC address of the network adapter |
-| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
-| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
-| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
-| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
-| `DnsAddresses` | string | DNS server addresses in JSON array format |
-| `IPv4Dhcp` | string | IPv4 address of DHCP server |
-| `IPv6Dhcp` | string | IPv6 address of DHCP server |
-| `DefaultGateways` | string | Default gateway addresses in JSON array format |
-| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
deleted file mode 100644
index cf942a6f36..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: DeviceProcessEvents table in the advanced hunting schema
-description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceProcessEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
deleted file mode 100644
index eeb92421d0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: DeviceRegistryEvents table in the advanced hunting schema
-description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceRegistryEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
-| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
deleted file mode 100644
index 6dab26214e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
-description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceTvmSecureConfigurationAssessment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| `Timestamp` | datetime |Date and time when the record was generated |
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
-| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device |
-| `Context` | string | Additional contextual information about the configuration or policy |
-| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
deleted file mode 100644
index 26521cd2fd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
-description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceTvmSecureConfigurationAssessmentKB
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `ConfigurationName` | string | Display name of the configuration |
-| `ConfigurationDescription` | string | Description of the configuration |
-| `RiskDescription` | string | Description of the associated risk |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
-| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
deleted file mode 100644
index 849feba90c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
-description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceTvmSoftwareInventoryVulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `SoftwareVendor` | string | Name of the software vendor |
-| `SoftwareName` | string | Name of the software product |
-| `SoftwareVersion` | string | Version number of the software product |
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-
-
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
deleted file mode 100644
index dd82717d64..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
-description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# DeviceTvmSoftwareVulnerabilitiesKB
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
-| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
-| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
-| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
-| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
deleted file mode 100644
index a3c2545b6b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Handle errors in advanced hunting for Microsoft Defender ATP
-description: Understand errors displayed when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Handle advanced hunting errors
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-
-Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
-
-| Error type | Cause | Resolution | Error message examples |
-|--|--|--|--|
-| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
-| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`|
-| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
-| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`
- `You have exceeded processing resources allocated to this tenant. You can run queries again in
-`Query stopped. Adjust use of the
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
deleted file mode 100644
index 66e5df0593..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
-description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/20/2020
-ms.technology: mde
----
-
-# FileProfile()
-
-**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
-
-Column | Data type | Description
--|-|-
-SHA1 | string | SHA-1 of the file that the recorded action was applied to
-SHA256 | string | SHA-256 of the file that the recorded action was applied to
-MD5 | string | MD5 hash of the file that the recorded action was applied to
-FileSize | int | Size of the file in bytes
-GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
-GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
-GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
-Signer | string | Information about the signer of the file
-Issuer | string | Information about the issuing certificate authority (CA)
-SignerHash | string | Unique hash value identifying the signer
-IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
-IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
-IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
-ThreatName | string | Detection name for any malware or other threats found
-Publisher | string | Name of the organization that published the file
-SoftwareName | string | Name of the software product
-
-## Syntax
-
-```kusto
-invoke FileProfile(x,y)
-```
-
-## Arguments
-
-- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
-- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
-
-## Examples
-
-### Project only the SHA1 column and enrich it
-
-```kusto
-DeviceFileEvents
-| where isnotempty(SHA1) and Timestamp > ago(1d)
-| take 10
-| project SHA1
-| invoke FileProfile()
-```
-
-### Enrich the first 500 records and list low-prevalence files
-
-```kusto
-DeviceFileEvents
-| where ActionType == "FileCreated" and Timestamp > ago(1d)
-| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
-| invoke FileProfile("SHA1", 500)
-| where GlobalPrevalence < 15
-```
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
deleted file mode 100644
index c16f450428..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Get relevant info about an entity with go hunt
-description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting.
-keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-f1.keywords:
- - NOCSH
-ms.author: v-maave
-author: martyav
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Quickly hunt for entity or event information with go hunt
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
-
-The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
-
-- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
-
- 
-
-- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
-
- 
-
-- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
-
- 
-
-Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
-
-## Query for entity information
-
-When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
-
-Here is an example of the go hunt query for a device:
-
-```kusto
-let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
-let deviceName = "fv-az770.example.com";
-let deviceId = "device-guid";
-search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
-Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
-and DeviceName == deviceName
-// or RemoteDeviceName == deviceName
-// or DeviceId == deviceId
-| take 100
-```
-
-### Supported entity types
-
-You can use *go hunt* after selecting any of these entity types:
-
-- Files
-- Users
-- Devices
-- IP addresses
-- URLs
-
-## Query for event information
-
-When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
-
-```kusto
-// List relevant events 30 minutes before and after selected RegistryValueSet event
-let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
-search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
- Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
- and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
-| sort by Timestamp desc
-| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
-| project-reorder Relevance
-```
-
-## Adjust the query
-
-With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
-
-```kusto
-Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
-```
-
-In addition to modifying the query to get more relevant results, you can also:
-
-- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
-- [Create a custom detection rule](custom-detection-rules.md)
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Custom detection rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
deleted file mode 100644
index 373fc237b7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Advanced hunting limits in Microsoft Defender ATP
-description: Understand various service limits that keep the advanced hunting service responsive
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Advanced hunting service limits
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits.
-
-| Limit | Size | Refresh cycle | Description |
-|--|--|--|--|
-| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
-| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |
-| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
-| CPU resources | Based on tenant size | - On the hour and then every 15 minutes
- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
-
->[!NOTE]
->A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
-
-Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
-
-## Related topics
-
-- [Advanced hunting best practices](advanced-hunting-best-practices.md)
-- [Handle advanced hunting errors](advanced-hunting-errors.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Custom detections rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
deleted file mode 100644
index 35fa634bff..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: Overview of advanced hunting in Microsoft Defender ATP
-description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Proactively hunt for threats with advanced hunting
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
-
-Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
-
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
-
-You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
-
->[!TIP]
->Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-
-## Get started with advanced hunting
-
-Go through the following steps to ramp up your advanced hunting knowledge.
-
-We recommend going through several steps to quickly get up and running with advanced hunting.
-
-| Learning goal | Description | Resource |
-|--|--|--|
-| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
-| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
-| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
-| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
- [Handle errors](advanced-hunting-errors.md) |
-| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
-| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
-| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
-| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
-
-## Data freshness and update frequency
-
-Advanced hunting data can be categorized into two distinct types, each consolidated differently.
-
-- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.
-- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
-
-## Time zone
-
-Time information in advanced hunting is currently in the UTC time zone.
-
-## Related topics
-
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Use shared queries](advanced-hunting-shared-queries.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
deleted file mode 100644
index 6bf8d2fa92..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Learn the advanced hunting query language
-description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Learn the advanced hunting query language
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
-
-## Try your first query
-
-In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-union DeviceProcessEvents, DeviceNetworkEvents
-| where Timestamp > ago(7d)
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
-
-### Describe the query and specify the tables to search
-A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-```
-The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
-
-```kusto
-union DeviceProcessEvents, DeviceNetworkEvents
-```
-### Set the time range
-The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
-
-```kusto
-| where Timestamp > ago(7d)
-```
-
-### Check specific processes
-The time range is immediately followed by a search for process file names representing the PowerShell application.
-
-```kusto
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-```
-
-### Search for specific command strings
-Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
-
-```kusto
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-```
-
-### Customize result columns and length
-Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
-
-```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-
-Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results.
-
-
-
->[!TIP]
->You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
-
-## Learn common query operators for advanced hunting
-
-You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
-
-| Operator | Description and usage |
-|--|--|
-| `where` | Filter a table to the subset of rows that satisfy a predicate. |
-| `summarize` | Produce a table that aggregates the content of the input table. |
-| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
-| `count` | Return the number of records in the input record set. |
-| `top` | Return the first N records sorted by the specified columns. |
-| `limit` | Return up to the specified number of rows. |
-| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
-| `extend` | Create calculated columns and append them to the result set. |
-| `makeset` | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
-| `find` | Find rows that match a predicate across a set of tables. |
-
-To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
-
-## Understand data types
-
-Advanced hunting supports Kusto data types, including the following common types:
-
-| Data type | Description and query implications |
-|--|--|
-| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
-| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
-| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
-| `int` | 32-bit integer |
-| `long` | 64-bit integer |
-
-To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
-
-## Get help as you write queries
-Take advantage of the following functionality to write queries faster:
-
-- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
-- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
-- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
-
-## Work with multiple queries in the editor
-You can use the query editor to experiment with multiple queries. To use multiple queries:
-
-- Separate each query with an empty line.
-- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
-
-
-_Query editor with multiple queries_
-
-
-## Use sample queries
-
-The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-
-
-
-> [!NOTE]
-> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
-
-## Access comprehensive query language reference
-
-For detailed information about the query language, see [Kusto query language documentation](https://docs.microsoft.com/azure/kusto/query/).
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Use shared queries](advanced-hunting-shared-queries.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
deleted file mode 100644
index 08515a57eb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-title: Work with advanced hunting query results in Microsoft Defender ATP
-description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Work with advanced hunting query results
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
-
-- View results as a table or chart
-- Export tables and charts
-- Drill down to detailed entity information
-- Tweak your queries directly from the results or apply filters
-
-## View query results as a table or chart
-By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
-
-| View type | Description |
-| -- | -- |
-| **Table** | Displays the query results in tabular format |
-| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
-| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
-| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
-| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
-| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
-| **Scatter chart** | Plots numeric values for a series of unique items |
-| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
-
-### Construct queries for effective charts
-When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
-
-#### Alerts by severity
-Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
-
-```kusto
-DeviceAlertEvents
-| summarize Total = count() by Severity
-```
-When rendering the results, a column chart displays each severity value as a separate column:
-
-
-*Query results for alerts by severity displayed as a column chart*
-
-#### Alert severity by operating system
-You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS).
-
-The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by OSPlatform, Severity
-```
-These results are best visualized using a stacked column chart:
-
-
-*Query results for alerts by OS and severity displayed as a stacked chart*
-
-#### Top ten device groups with alerts
-If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by MachineGroup
-| top 10 by Count
-```
-Use the pie chart view to effectively show distribution across the top groups:
-
-
-*Pie chart showing distribution of alerts across device groups*
-
-#### Malware detections over time
-Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
-
-```kusto
-DeviceEvents
-| where ActionType == "AntivirusDetection"
-| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
-| summarize Detections = count() by bin(Timestamp, 30m)
-```
-The line chart below clearly highlights time periods with more detections of the test malware:
-
-
-*Line chart showing the number of detections of a test malware over time*
-
-
-## Export tables and charts
-After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
-
-- **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
-- **Any chart** — the query results are exported as a JPEG image of the rendered chart
-
-## Drill down from query results
-To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
-
-To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
-
-- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
-- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
-- **All details** — Lists all the values from the columns in the record
-
-## Tweak your queries from the results
-Right-click a value in the result set to quickly enhance your query. You can use the options to:
-
-- Explicitly look for the selected value (`==`)
-- Exclude the selected value from the query (`!=`)
-- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
-
-
-
-## Filter the query results
-The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
-
-Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
-
-
-
-Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Use shared queries](advanced-hunting-shared-queries.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
deleted file mode 100644
index 4d15c46f81..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Advanced hunting schema reference
-description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/14/2020
-ms.technology: mde
----
-
-# Understand the advanced hunting schema
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
-
-## Get schema information in the security center
-While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
-
-- **Tables description**—type of data contained in the table and the source of that data.
-- **Columns**—all the columns in the table.
-- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
-- **Sample query**—example queries that feature how the table can be utilized.
-
-### Access the schema reference
-To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
-
-
-
-## Learn the schema tables
-
-The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
-
-Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
-
-| Table name | Description |
-|------------|-------------|
-| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
-| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information |
-| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
-| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
-| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
-| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
-| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
-| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
-| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
-| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
-| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
-| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
-| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
-| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
-
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
-- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
deleted file mode 100644
index c3b430655b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Use shared queries in advanced hunting
-description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Use shared queries in advanced hunting
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
-
-
-
-## Save, modify, and share a query
-You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
-
-1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
-
-2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
-
-3. Enter a name for the query.
-
- 
-
-4. Select the folder where you'd like to save the query.
- - **Shared queries** — shared to all users in your organization
- - **My queries** — accessible only to you
-
-5. Select **Save**.
-
-## Delete or rename a query
-1. Right-click on a query you want to rename or delete.
-
- 
-
-2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
-
-## Create a direct link to a query
-To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**.
-
-## Access queries in the GitHub repository
-Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
-
->[!TIP]
->Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
deleted file mode 100644
index a0bc9e4540..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Take action on advanced hunting query results in Microsoft Threat Protection
-description: Quickly address threats and affected assets in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/20/2020
-ms.technology: mde
----
-
-# Take action on advanced hunting query results
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
-
-- Take various actions on devices
-- Quarantine files
-
-## Required permissions
-
-To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
-
-*Active remediation actions > Threat and vulnerability management - Remediation handling*
-
-## Take various actions on devices
-
-You can take the following actions on devices identified by the `DeviceId` column in your query results:
-
-- Isolate affected devices to contain an infection or prevent attacks from moving laterally
-- Collect investigation package to obtain more forensic information
-- Run an antivirus scan to find and remove threats using the latest security intelligence updates
-- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
-- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
-
-To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md).
-
-## Quarantine files
-
-You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
-
-- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
-- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process.
-- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
-- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
-
-To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
-
->[!NOTE]
->To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
-
-## Take action
-
-To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
-
-
-
-## Review actions taken
-
-Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
deleted file mode 100644
index 6c96b5ea1e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Alerts queue in Microsoft Defender Security Center
-ms.reviewer:
-description: View and manage the alerts surfaced in Microsoft Defender Security Center
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 09/03/2018
-ms.technology: mde
----
-
-# Alerts queue in Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
-
-
-## In this section
-Topic | Description
-:---|:---
-[View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network.
-[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
-[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event.
-[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event.
-[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
-[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
-[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
deleted file mode 100644
index 7ac4d17fb3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: View and organize the Microsoft Defender ATP Alerts queue
-description: Learn about how the Microsoft Defender ATP alerts queues work, and how to sort and filter lists of alerts.
-keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 03/27/2020
-ms.technology: mde
----
-
-# View and organize the Microsoft Defender for Endpoint Alerts queue
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
-
-The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
-
->[!NOTE]
->The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-
-There are several options you can choose from to customize the alerts queue view.
-
-On the top navigation you can:
-
-- Select grouped view or list view
-- Customize columns to add or remove columns
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
-
-
-
-## Sort, filter, and group the alerts queue
-
-You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
-
-### Severity
-
-Alert severity | Description
-:---|:---
-High (Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
-Medium (Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
-Low (Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
-Informational (Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
-
-#### Understanding alert severity
-
-Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes.
-
-The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.
-
-The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
-
-So, for example:
-
-- The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
-- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
-- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
-- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
-
-#### Understanding alert categories
-
-We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
-
-The table below lists the current categories and how they generally map to previous categories.
-
-| New category | Previous categories | Detected threat activity or component |
-|----------------------|----------------------|-------------|
-| Collection | - | Locating and collecting data for exfiltration |
-| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
-| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
-| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
-| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
-| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
-| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
-| Exploit | Exploit | Exploit code and possible exploitation activity |
-| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
-| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
-| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
-| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
-| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
-| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
-| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack |
-| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
-
-
-### Status
-
-You can choose to limit the list of alerts based on their status.
-
-### Investigation state
-
-Corresponds to the automated investigation state.
-
-### Category
-
-You can choose to filter the queue to display specific types of malicious activity.
-
-### Assigned to
-
-You can choose between showing alerts that are assigned to you or automation.
-
-### Detection source
-
-Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
-
->[!NOTE]
->The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-
-
-### OS platform
-
-Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
-
-### Device group
-
-If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
-
-### Associated threat
-
-Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
-
-## Related topics
-
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
deleted file mode 100644
index da475d40a4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: Get alerts API
-description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Alert resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
-[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
-[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md).
-[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
-[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
-[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md).
-[List related IPs](get-alert-related-ip-info.md) | IP collection | List IPs that are associated with the alert.
-[Get related machines](get-alert-related-machine-info.md) | [Machine](machine.md) | The [machine](machine.md) that is associated with the [alert](alerts.md).
-[Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md).
-
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Alert ID.
-title | String | Alert title.
-description | String | Alert description.
-alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
-lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device.
-firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
-lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
-resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-assignedTo | String | Owner of the alert.
-severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
-status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
-classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert.
-detectionSource | String | Detection source.
-threatFamilyName | String | Threat family.
-threatName | String | Threat name.
-machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
-computerDnsName | String | [machine](machine.md) fully qualified name.
-aadTenantId | String | The Azure Active Directory ID.
-detectorId | String | The ID of the detector that triggered the alert.
-comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
-Evidence | List of Alert evidence | Evidence related to the alert. See example below.
-
-### Response example for getting single alert:
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
-```
-
-```json
-{
- "id": "da637472900382838869_1364969609",
- "incidentId": 1126093,
- "investigationId": null,
- "assignedTo": null,
- "severity": "Low",
- "status": "New",
- "classification": null,
- "determination": null,
- "investigationState": "Queued",
- "detectionSource": "WindowsDefenderAtp",
- "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
- "category": "Execution",
- "threatFamilyName": null,
- "title": "Low-reputation arbitrary code executed by signed executable",
- "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
- "firstEventTime": "2021-01-26T20:31:32.9562661Z",
- "lastEventTime": "2021-01-26T20:31:33.0577322Z",
- "lastUpdateTime": "2021-01-26T20:33:59.2Z",
- "resolvedTime": null,
- "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
- "computerDnsName": "temp123.middleeast.corp.microsoft.com",
- "rbacGroupName": "A",
- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
- "threatName": null,
- "mitreTechniques": [
- "T1064",
- "T1085",
- "T1220"
- ],
- "relatedUser": {
- "userName": "temp123",
- "domainName": "MIDDLEEAST"
- },
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop123@contoso.com",
- "createdTime": "2021-01-26T01:00:37.8404534Z"
- }
- ],
- "evidence": [
- {
- "entityType": "User",
- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
- "sha1": null,
- "sha256": null,
- "fileName": null,
- "filePath": null,
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "parentProcessFileName": null,
- "parentProcessFilePath": null,
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": "eranb",
- "domainName": "MIDDLEEAST",
- "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
- "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
- "userPrincipalName": "temp123@microsoft.com",
- "detectionStatus": null
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
- "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
- "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
- "fileName": "rundll32.exe",
- "filePath": "C:\\Windows\\SysWOW64",
- "processId": 3276,
- "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
- "processCreationTime": "2021-01-26T20:31:32.9581596Z",
- "parentProcessId": 8420,
- "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
- "parentProcessFileName": "rundll32.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "File",
- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
- "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
- "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
- "fileName": "suspicious.dll",
- "filePath": "c:\\temp",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "parentProcessFileName": null,
- "parentProcessFilePath": null,
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- }
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
deleted file mode 100644
index c0d3f7f4e0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Configure Microsoft Defender ATP for Android features
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, configuration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure Defender for Endpoint for Android features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
-
-## Conditional Access with Defender for Endpoint for Android
-Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active
-Directory enables enforcing Device compliance and Conditional Access policies
-based on device risk levels. Defender for Endpoint is a Mobile Threat Defense
-(MTD) solution that you can deploy to leverage this capability via Intune.
-
-For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
-
-
-## Configure custom indicators
-
->[!NOTE]
-> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains.
-
-Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
-
-## Configure web protection
-Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
-
->[!NOTE]
-> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
-
-
-## Related topics
-- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
-- [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
deleted file mode 100644
index dcaf457b37..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ /dev/null
@@ -1,314 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Android with Microsoft Intune
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune
-keywords: microsoft, defender, atp, android, installation, deploy, uninstallation,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint](microsoft-defender-atp-android.md)
-
-Learn how to deploy Defender for Endpoint for Android on Intune
-Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
-device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
-
-
-> [!NOTE]
-> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
-> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes.
- Updates to the app are automatic via Google Play.
-
-## Deploy on Device Administrator enrolled devices
-
-**Deploy Defender for Endpoint for Android on Intune Company Portal - Device
-Administrator enrolled devices**
-
-Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices.
-
-### Add as Android store app
-
-1. In [Microsoft Endpoint Manager admin
-center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add \> Android store app** and choose **Select**.
-
- 
-
-
-2. On the **Add app** page and in the *App Information* section enter:
-
- - **Name**
- - **Description**
- - **Publisher** as Microsoft.
- - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL)
-
- Other fields are optional. Select **Next**.
-
- 
-
-3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
-
- >[!NOTE]
- >The selected user group should consist of Intune enrolled users.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
-
- In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
-
- 
-
-
-5. In the app information page that is displayed, in the **Monitor** section,
-select **Device install status** to verify that the device installation has
-completed successfully.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-### Complete onboarding and check status
-
-1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon.
-
- 
-
-2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
-to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android.
-
-3. Upon successful onboarding, the device will start showing up on the Devices
-list in Microsoft Defender Security Center.
-
- 
-
-## Deploy on Android Enterprise enrolled devices
-
-Defender for Endpoint for Android supports Android Enterprise enrolled devices.
-
-For more information on the enrollment options supported by Intune, see
-[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
-
-**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
-
-
-
-## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app
-
-Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.
-
-1. In [Microsoft Endpoint Manager admin
-center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add** and select **Managed Google Play app**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-2. On your managed Google Play page that loads subsequently, go to the search
-box and lookup **Microsoft Defender.** Your search should display the Microsoft
-Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
-
- 
-
-3. In the App description page that comes up next, you should be able to see app
-details on Defender for Endpoint. Review the information on the page and then
-select **Approve**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-4. You'll be presented with the permissions that Defender for Endpoint
-obtains for it to work. Review them and then select **Approve**.
-
- 
-
-
-5. You'll be presented with the Approval settings page. The page confirms
-your preference to handle new app permissions that Defender for Endpoint for
-Android might ask. Review the choices and select your preferred option. Select
-**Done**.
-
- By default, managed Google Play selects *Keep approved when app requests new
-permissions*
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-6. After the permissions handling selection is made, select **Sync** to sync Microsoft
-Defender for Endpoint to your apps list.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-7. The sync will complete in a few minutes.
-
- 
-
-8. Select the **Refresh** button in the Android apps screen and Microsoft
-Defender ATP should be visible in the apps list.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
-
- 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
-
- 
-
- 1. In the **Create app configuration policy** page, enter the following details:
-
- - Name: Microsoft Defender ATP.
- - Choose **Android Enterprise** as platform.
- - Choose **Work Profile only** as Profile Type.
- - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
- 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
-
- - External storage (read)
- - External storage (write)
-
- Then select **OK**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
-
- The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
-**Assignments** \> **Edit**.
-
- 
-
-
-11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
-the device via Company Portal app. This assignment can be done by navigating to
-the *Required* section \> **Add group,** selecting the user group and click
-**Select**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-12. In the **Edit Application** page, review all the information that was entered
-above. Then select **Review + Save** and then **Save** again to commence
-assignment.
-
-### Auto Setup of Always-on VPN
-Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.
-1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
-Select **Device restrictions** under one of the following, based on your device enrollment type
-- **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
-- **Personally owned Work Profile**
-
-Select **Create**.
-
- > 
-
-2. **Configuration Settings**
- Provide a **Name** and a **Description** to uniquely identify the configuration profile.
-
- > 
-
- 3. Select **Connectivity** and configure VPN:
-- Enable **Always-on VPN**
-Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.
-- Select **Custom** in VPN client dropdown list
-Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature.
- > [!NOTE]
- > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN.
-
-- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**
-- **Lockdown mode** Not configured (Default)
-
- 
-
-4. **Assignment**
-In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
-
- 
-
-5. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
-The device configuration profile is now assigned to the selected user group.
-
- 
-
-## Complete onboarding and check status
-
-1. Confirm the installation status of Microsoft Defender for Endpoint for Android by
-clicking on the **Device Install Status**. Verify that the device is
-displayed here.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
-
- 
-
-3. When the app is installed, open the app and accept the permissions
-and then your onboarding should be successful.
-
- 
-
-4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security
-Center](https://securitycenter.microsoft.com)
-by navigating to the **Devices** page.
-
- 
-
-
-## Related topics
-- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
-- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
deleted file mode 100644
index d14d7b7606..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Microsoft Defender ATP for Android - Privacy information
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
-keywords: microsoft, defender, atp, android, privacy, diagnostic
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for Android - Privacy information
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
-
-
-Defender for Endpoint for Android collects information from your configured
-Android devices and stores it in the same tenant where you have Defender for Endpoint.
-
-Information is collected to help keep Defender for Endpoint for Android secure,
-up-to-date, performing as expected and to support the service.
-
-## Required Data
-
-Required data consists of data that is necessary to make Defender for Endpoint
-for Android work as expected. This data is essential to the operation of the
-service and can include data related to the end user, organization, device, and
-apps. Here's a list of the types of data being collected:
-
-### App information
-
-Information about Android application packages (APKs) on the device including
-
-- Install source
-- Storage location (file path) of the APK
-- Time of install, size of APK and permissions
-
-### Web page / Network information
-
-- Full URL (on supported browsers), when clicked
-- Connection information
-- Protocol type (such as HTTP, HTTPS, etc.)
-
-
-### Device and account information
-
-- Device information such as date & time, Android version, OEM model, CPU
- info, and Device identifier
-- Device identifier is one of the below:
- - Wi-Fi adapter MAC address
- - [Android
- ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
- (as generated by Android at the time of first boot of the device)
- - Randomly generated globally unique identifier (GUID)
-
-- Tenant, Device and User information
- - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
- identifies the device, User respectively at Azure Active directory.
-
- - Azure tenant ID - GUID that identifies your organization within
- Azure Active Directory
-
- - Microsoft Defender ATP org ID - Unique identifier associated with
- the enterprise that the device belongs to. Allows Microsoft to
- identify whether issues are impacting a select set of enterprises
- and how many enterprises are impacted
-
- - User Principal Name – Email ID of the user
-
-### Product and service usage data
-- App package info, including name, version, and app upgrade status
-
-- Actions performed in the app
-
-- Threat detection information, such as threat name, category, etc.
-
-- Crash report logs generated by Android
-
-## Optional Data
-
-Optional data includes diagnostic data and feedback data. Optional diagnostic
-data is additional data that helps us make product improvements and provides
-enhanced information to help us detect, diagnose, and fix issues. Optional
-diagnostic data includes:
-
-- App, CPU, and network usage
-
-- State of the device from the app perspective, including scan status, scan
- timings, app permissions granted, and upgrade status
-
-- Features configured by the admin
-
-- Basic information about the browsers on the device
-
-**Feedback Data** is collected through in-app feedback provided by the user
-
-- The user’s email address, if they choose to provide it
-
-- Feedback type (smile, frown, idea) and any feedback comments submitted by
- the user
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
deleted file mode 100644
index f9fe77aefa..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Troubleshoot issues on Microsoft Defender ATP for Android
-ms.reviewer:
-description: Troubleshoot issues for Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, cloud, connectivity, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Troubleshooting issues on Microsoft Defender for Endpoint for Android
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint](microsoft-defender-atp-android.md)
-
-During onboarding, you might encounter sign in issues after the app is installed on your device.
-
-This article provides solutions to address the sign on issues.
-
-## Sign in failed - unexpected error
-**Sign in failed:** *Unexpected error, try later*
-
-
-
-**Message:**
-
-Unexpected error, try later
-
-**Cause:**
-
-You have an older version of "Microsoft Authenticator" app installed on your
-device.
-
-**Solution:**
-
-Install latest version and of [Microsoft
-Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator)
-from Google Play Store and try again
-
-## Sign in failed - invalid license
-
-**Sign in failed:** *Invalid license, please contact administrator*
-
-
-
-**Message:** *Invalid license, please contact administrator*
-
-**Cause:**
-
-You do not have Microsoft 365 license assigned, or your organization does not
-have a license for Microsoft 365 Enterprise subscription.
-
-**Solution:**
-
-Contact your administrator for help.
-
-## Phishing pages are not blocked on specific OEM devices
-
-**Applies to:** Specific OEMs only
-
-- **Xiaomi**
-
-Phishing and harmful web connection threats detected by Defender for Endpoint
-for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices.
-
-
-
-
-**Cause:**
-
-Xiaomi devices introduced a new permission that prevents Defender for Endpoint
-for Android app from displaying pop-up windows while running in the background.
-
-Xiaomi devices permission: "Display pop-up windows while running in the
-background."
-
-
-
-**Solution:**
-
-Enable the required permission on Xiaomi devices.
-
-- Display pop-up windows while running in the background.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
deleted file mode 100644
index 05151f5a7c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ /dev/null
@@ -1,233 +0,0 @@
----
-title: Microsoft Defender ATP for Android Application license terms
-ms.reviewer:
-description: Describes the Microsoft Defender ATP for Android license terms
-keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-hideEdit: true
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for Android application license terms
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md)
-
-## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
-
-These license terms ("Terms") are an agreement between Microsoft Corporation (or
-based on where you live, one of its affiliates) and you. Please read them. They
-apply to the application named above. These Terms also apply to any Microsoft
-
-- updates,
-
-- supplements,
-
-- Internet-based services, and
-
-- support services
-
-for this application, unless other terms accompany those items. If so, those
-terms apply.
-
-**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
-DO NOT USE THE APPLICATION.**
-
-**If you comply with these Terms, you have the perpetual rights below.**
-
-1. **INSTALLATION AND USE RIGHTS.**
-
- 1. **Installation and Use.** You may install and use any number of copies
- of this application on Android enabled device or devices that you own
- or control. You may use this application with your company's valid
- subscription of Microsoft Defender for Endpoint or
- an online service that includes Microsoft Defender for Endpoint functionalities.
-
- 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full
- functionality. Some functionality may not be available in all countries.
-
- 3. **Third-Party Programs.** The application may include third-party
- programs that Microsoft, not the third party, licenses to you under this
- agreement. Notices, if any, for the third-party program are included for
- your information only.
-
-2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer, and other services per the terms of the data
- service plan and any other agreement you have with your network operator due
- to use of the application. You are solely responsible for any network
- operator charges.
-
-3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
- the application. It may change or cancel them at any time.
-
- 1. Consent for Internet-Based or Wireless Services. The application may
- connect to Internet-based wireless services. Your use of the application
- operates as your consent to the transmission of standard device
- information (including but not limited to technical information about
- your device, system and application software, and peripherals) for
- Internet-based or wireless services. If other terms are provided in
- connection with your use of the services, those terms also apply.
-
- - Data. Some online services require, or may be enhanced by, the
- installation of local software like this one. At your, or your
- admin's direction, this software may send data from a device to or
- from an online service.
-
- - Usage Data. Microsoft automatically collects usage and performance
- data over the internet. This data will be used to provide and
- improve Microsoft products and services and enhance your experience.
- You may limit or control collection of some usage and performance
- data through your device settings. Doing so may disrupt your use of
- certain features of the application. For more information about
- Microsoft data collection and use, see the [Online Services
- Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
-
- 2. Misuse of Internet-based Services. You may not use any Internet-based
- service in any way that could harm it or impair anyone else's use of it
- or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account, or network by any
- means.
-
-4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share, and commercialize
- your feedback in any way and for any purpose. You also give to third
- parties, without charge, any patent rights needed for their products,
- technologies, and services to use or interface with any specific parts of a
- Microsoft software or service that includes the feedback. You will not give
- feedback that is subject to a license that requires Microsoft to license its
- software or documentation to third parties because we include your feedback
- in them. These rights survive this agreement.
-
-5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
- only gives you some rights to use the application. Microsoft reserves all
- other rights. Unless applicable law gives you more rights despite this
- limitation, you may use the application only as expressly permitted in this
- agreement. In doing so, you must comply with any technical limitations in
- the application that only allow you to use it in certain ways. You may not
-
- - work around any technical limitations in the application;
-
- - reverse engineer, decompile or disassemble the application, except and
- only to the extent that applicable law expressly permits, despite this
- limitation;
-
- - make more copies of the application than specified in this agreement or
- allowed by applicable law, despite this limitation;
-
- - publish the application for others to copy;
-
- - rent, lease, or lend the application; or
-
- - transfer the application or this agreement to any third party.
-
-6. **EXPORT RESTRICTIONS.** The application is subject to United States export
- laws and regulations. You must comply with all domestic and international
- export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users, and end use. For more
- information,
-
- see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
-
-7. **SUPPORT SERVICES.** Because this application is "as is," we may not
- provide support services for it. If you have any issues or questions about
- your use of this application, including questions about your company's
- privacy policy, contact your company's admin. Do not contact the
- application store, your network operator, device manufacturer, or Microsoft.
- The application store provider has no obligation to furnish support or
- maintenance with respect to the application.
-
-8. **APPLICATION STORE.**
-
- 1. If you obtain the application through an application store (for example, Google
- Play), review the applicable application store terms to ensure
- your download and use of the application complies with such terms.
- Note that these Terms are between you and Microsoft and not with
- the application store.
-
- 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
- Terms, the application store provider(s) will have the right to directly
- enforce and rely upon any provision of these Terms that grants them a
- benefit or rights.
-
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
- Microsoft 365 are registered or common-law trademarks of Microsoft
- Corporation in the United States and/or other countries.
-
-10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
- Internet-based services, and support services that you use are the entire
- agreement for the application and support services.
-
-11. **APPLICABLE LAW.**
-
- 1. **United States.** If you acquired the application in the United States,
- Washington state law governs the interpretation of this agreement and
- applies to claims for breach of it, regardless of conflict of laws
- principles. The laws of the state where you live govern all other
- claims, including claims under state consumer protection laws, unfair
- competition laws, and in tort.
-
- 2. **Outside the United States.** If you acquired the application in any
- other country, the laws of that country apply.
-
-12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
- have other rights under the laws of your country. You may also have rights
- with respect to the party from whom you acquired the application. This
- agreement does not change your rights under the laws of your country if the
- laws of your country do not permit it to do so.
-
-13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
- FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
- WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
- EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
- EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
- APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
- ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
- CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
- THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NON-INFRINGEMENT.**
-
- **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
-
-14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
- PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
- ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
- DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
- INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
-
-This limitation applies to:
-
-- anything related to the application, services, content (including code) on
- third-party internet sites, or third-party programs; and
-
-- claims for breach of contract, warranty, guarantee, or condition; consumer
- protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass, or other tort; violation of statute or
- regulation; or unjust enrichment; all to the extent permitted by applicable
- law.
-
-It also applies even if:
-
-a. Repair, replacement, or refund for the application does not fully compensate
- you for any losses; or
-
-b. Covered Parties knew or should have known about the possibility of the
- damages.
-
-The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
deleted file mode 100644
index f6ea5a6c0d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: API Explorer in Microsoft Defender ATP
-ms.reviewer:
-description: Use the API Explorer to construct and do API queries, test, and send requests for any available API
-keywords: api, explorer, send, request, get, post,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# API Explorer
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
-
-The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
-
-The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
-
-You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
-
-With the API Explorer, you can:
-
-- Run requests for any method and see responses in real-time
-- Quickly browse through the API samples and learn what parameters they support
-- Make API calls with ease; no need to authenticate beyond the management portal sign in
-
-## Access API Explorer
-
-From the left navigation menu, select **Partners & APIs** > **API Explorer**.
-
-## Supported APIs
-
-API Explorer supports all the APIs offered by Defender for Endpoint.
-
-The list of supported APIs is available in the [APIs documentation](apis-intro.md).
-
-## Get started with the API Explorer
-
-1. In the left pane, there is a list of sample requests that you can use.
-2. Follow the links and click **Run query**.
-
-Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
-
-## FAQ
-
-**Do I need to have an API token to use the API Explorer?**
-Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request.
-
-The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
-
-Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
deleted file mode 100644
index bf85bfd5d2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ /dev/null
@@ -1,187 +0,0 @@
----
-title: Hello World for Microsoft Defender Advanced Threat Protection API
-ms.reviewer:
-description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint API - Hello World
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## Get Alerts using a simple PowerShell script
-
-### How long it takes to go through this example?
-It only takes 5 minutes done in two steps:
-- Application registration
-- Use examples: only requires copy/paste of a short PowerShell script
-
-### Do I need a permission to connect?
-For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant.
-
-### Step 1 - Create an App in Azure Active Directory
-
-1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
-
-2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-
- 
-
-3. In the registration form, choose a name for your application and then click **Register**.
-
-4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:
-
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
-
- 
-
- - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
-
- 
-
- **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
-
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
-
-5. Click **Grant consent**
-
- - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
-
- 
-
-6. Add a secret to the application.
-
- - Click **Certificates & secrets**, add description to the secret and click **Add**.
-
- **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
-
- 
-
-7. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following:
-
- 
-
-
-Done! You have successfully registered an application!
-
-### Step 2 - Get a token using the App and use this token to access the API.
-
-- Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
-- Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
-
-```
-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
-# Paste below your Tenant ID, App ID and App Secret (App key).
-
-$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your Application ID here
-$appSecret = '' ### Paste your Application secret here
-
-$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
-$authBody = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
-$token = $authResponse.access_token
-Out-File -FilePath "./Latest-token.txt" -InputObject $token
-return $token
-```
-
-- Sanity Check:
-Run the script.
-In your browser go to: https://jwt.ms/
-Copy the token (the content of the Latest-token.txt file).
-Paste in the top box.
-Look for the "roles" section. Find the Alert.Read.All role.
-
-
-
-### Lets get the Alerts!
-
-- The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
-- Save this script in the same folder you saved the previous script **Get-Token.ps1**.
-- The script creates two files (json and csv) with the data in the same folder as the scripts.
-
-```
-# Returns Alerts created in the past 48 hours.
-
-$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-Token.ps1
-
-# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
-$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
-
-# The URL contains the type of query and the time filter we create above
-# Read more about other query options and filters at Https://TBD- add the documentation link
-$url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
-
-# Set the WebRequest headers
-$headers = @{
- 'Content-Type' = 'application/json'
- Accept = 'application/json'
- Authorization = "Bearer $token"
-}
-
-# Send the webrequest and get the results.
-$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
-
-# Extract the alerts from the results.
-$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json
-
-# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
-$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
-
-# Save the result as json and as csv
-$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"
-$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
-
-Out-File -FilePath $outputJsonPath -InputObject $alerts
-($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation
-```
-
-You’re all done! You have just successfully:
-- Created and registered and application
-- Granted permission for that application to read alerts
-- Connected the API
-- Used a PowerShell script to return alerts created in the past 48 hours
-
-
-
-## Related topic
-- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
-- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
-- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
deleted file mode 100644
index c789f3dcc8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Microsoft Defender ATP Flow connector
-ms.reviewer:
-description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
-keywords: flow, supported apis, api, Microsoft flow, query, automation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
-
-Microsoft Defender API has an official Flow Connector with many capabilities.
-
-
-
-## Usage example
-
-The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
-
-1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
-
-2. Go to **My flows** > **New** > **Automated-from blank**.
-
- 
-
-3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
-
- 
-
-Now you have a Flow that is triggered every time a new Alert occurs.
-
-
-
-All you need to do now is choose your next steps.
-For example, you can isolate the device if the Severity of the Alert is High and send an email about it.
-The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
-
-### Get the Alert entity using the connector
-
-1. Choose **Microsoft Defender ATP** for the new step.
-
-2. Choose **Alerts - Get single alert API**.
-
-3. Set the **Alert ID** from the last step as **Input**.
-
- 
-
-### Isolate the device if the Alert's severity is High
-
-1. Add **Condition** as a new step.
-
-2. Check if the Alert severity **is equal to** High.
-
- If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
-
- 
-
-3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
-
-4. Save your flow.
-
-You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
-
-## Related topic
-- [Microsoft Defender for Endpoint APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
deleted file mode 100644
index fcaccc4e0e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Microsoft Defender ATP detections API fields
-description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
-keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint detections API fields
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-
-Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
-
->[!Note]
->- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
->- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-## Detections API fields and portal mapping
-The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
-
-The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
-
-Field numbers match the numbers in the images below.
-
-> [!div class="mx-tableFixed"]
->
-> | Portal label | SIEM field name | ArcSight field | Example value | Description |
-> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
-> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
-> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
-> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
-> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
-> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
-| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
-> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
-> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
-> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)
-- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
deleted file mode 100644
index c62e574323..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: Microsoft Defender ATP APIs connection to Power BI
-ms.reviewer:
-description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
-keywords: apis, supported apis, Power BI, reports
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create custom reports using Power BI
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-In this section you will learn create a Power BI report on top of Defender for Endpoint APIs.
-
-The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
-
-## Connect Power BI to Advanced Hunting API
-
-- Open Microsoft Power BI
-
-- Click **Get Data** > **Blank Query**
-
- 
-
-- Click **Advanced Editor**
-
- 
-
-- Copy the below and paste it in the editor:
-
-```
- let
- AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20",
-
- HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries",
-
- Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
-
- TypeMap = #table(
- { "Type", "PowerBiType" },
- {
- { "Double", Double.Type },
- { "Int64", Int64.Type },
- { "Int32", Int32.Type },
- { "Int16", Int16.Type },
- { "UInt64", Number.Type },
- { "UInt32", Number.Type },
- { "UInt16", Number.Type },
- { "Byte", Byte.Type },
- { "Single", Single.Type },
- { "Decimal", Decimal.Type },
- { "TimeSpan", Duration.Type },
- { "DateTime", DateTimeZone.Type },
- { "String", Text.Type },
- { "Boolean", Logical.Type },
- { "SByte", Logical.Type },
- { "Guid", Text.Type }
- }),
-
- Schema = Table.FromRecords(Response[Schema]),
- TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
- Results = Response[Results],
- Rows = Table.FromRecords(Results, Schema[Name]),
- Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
-
- in Table
-
-```
-
-- Click **Done**
-
-- Click **Edit Credentials**
-
- 
-
-- Select **Organizational account** > **Sign in**
-
- 
-
-- Enter your credentials and wait to be signed in
-
-- Click **Connect**
-
- 
-
-- Now the results of your query will appear as table and you can start build visualizations on top of it!
-
-- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
-
-## Connect Power BI to OData APIs
-
-- The only difference from the above example is the query inside the editor.
-
-- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
-
-```
- let
-
- Query = "MachineActions",
-
- Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
- in
- Source
-
-```
-
-- You can do the same for **Alerts** and **Machines**.
-
-- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
-
-
-## Power BI dashboard samples in GitHub
-For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
-
-## Sample reports
-View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
-
-
-## Related topic
-- [Defender for Endpoint APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Using OData Queries](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
deleted file mode 100644
index 441c3cbd30..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Microsoft Defender for Endpoint API release notes
-description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.
-keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint API release notes
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.
-
-
-### 25.01.2021
-
-
-- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute.
-
-
-
-### 21.01.2021
-
-
-- Added new API: [Find devices by tag](machine-tags.md).
-- Added new API: [Import Indicators](import-ti-indicators.md).
-
-
-
-### 03.01.2021
-
-
-- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
-- Updated [Alert entity](alerts.md): added ***detectorId*** property.
-
-
-
-### 15.12.2020
-
-
-- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
-
-
-
-### 04.11.2020
-
-
-- Added new API: [Set device value](set-device-value.md).
-- Updated [Device](machine.md) entity: added ***deviceValue*** property.
-
-
-
-### 01.09.2020
-
-
-- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
-
-
-
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
deleted file mode 100644
index b4e75388d9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Microsoft Defender ATP API license and terms of use
-description: Description of the license and terms of use for Microsoft Defender APIs
-keywords: license, terms, apis, legal, notices, code of conduct
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint API license and terms of use
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## APIs
-
-Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
-
-### Throttling limits
-
-Name | Calls | Renewal period
-:---|:---|:---
-API calls per connection | 100 | 60 seconds
-
-
-## Legal Notices
-
-Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
-
-Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
-
-Privacy information can be found at https://privacy.microsoft.com/en-us/
-Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
deleted file mode 100644
index 7a6ced874a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Access the Microsoft Defender Advanced Threat Protection APIs
-ms.reviewer:
-description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
-keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Access the Microsoft Defender for Endpoint APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-
-Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
-
-In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Defender for Endpoint API
-
-
-You can access Defender for Endpoint API with **Application Context** or **User Context**.
-
-- **Application Context: (Recommended)**
- Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
-
- Steps that need to be taken to access Defender for Endpoint API with application context:
-
- 1. Create an AAD Web-Application.
- 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
- 3. Create a key for this Application.
- 4. Get token using the application with its key.
- 5. Use the token to access Microsoft Defender ATP API
-
- For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
-
-
-- **User Context:**
- Used to perform actions in the API on behalf of a user.
-
- Steps to take to access Defender for Endpoint API with application context:
-
- 1. Create AAD Native-Application.
- 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
- 3. Get token using the application with user credentials.
- 4. Use the token to access Microsoft Defender ATP API
-
- For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
-
-
-## Related topics
-- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
-- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
-- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
deleted file mode 100644
index 66d9bed2d9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Assign user access to Microsoft Defender Security Center
-description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal.
-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/28/2018
-ms.technology: mde
----
-
-# Assign user access to Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Azure Active Directory
-- Office 365
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-
-Defender for Endpoint supports two ways to manage permissions:
-
-- **Basic permissions management**: Set permissions to either full access or read-only.
-- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
-
-> [!NOTE]
-> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
->
-> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC.
-> - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
-> - After switching to RBAC, you will not be able to switch back to using basic permissions management.
-
-## Related topics
-
-- [Use basic permissions to access the portal](basic-permissions.md)
-- [Manage portal access using RBAC](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
deleted file mode 100644
index 4fe5d45a88..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Experience Microsoft Defender ATP through simulated attacks
-description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
-keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/20/2018
-ms.technology: mde
----
-
-# Experience Microsoft Defender for Endpoint through simulated attacks
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
-
-## Before you begin
-
-To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
-
-Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
-
-## Run a simulation
-
-1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
-
- - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
-
- - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
-
- - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
-
-2. Download and read the corresponding walkthrough document provided with your selected scenario.
-
-3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
-
-4. Run the simulation file or script on the test device as instructed in the walkthrough document.
-
-> [!NOTE]
-> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
->
->
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
-
-
-## Related topics
-
-- [Onboard devices](onboard-configure.md)
-- [Onboard Windows 10 devices](configure-endpoints.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
deleted file mode 100644
index d2eec941c7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-title: Attack surface reduction frequently asked questions (FAQ)
-description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: martyav
-ms.author: v-maave
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Attack surface reduction frequently asked questions (FAQ)
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Is attack surface reduction (ASR) part of Windows?
-
-ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
-
-## Do I need to have an enterprise license to run ASR rules?
-
-The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available.
-
-To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
-
-## Is ASR supported if I have an E3 license?
-
-Yes. ASR is supported for Windows Enterprise E3 and above.
-
-## Which features are supported with an E5 license?
-
-All of the rules supported with E3 are also supported with E5.
-
-E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
-
-## What are the currently supported ASR rules?
-
-ASR currently supports all of the rules below:
-
-* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
-* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
-* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
-* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
-* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
-* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
-* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
-* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
-* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
-* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
-* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
-* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
-* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
-* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
-* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
-
-## What are some good recommendations for getting started with ASR?
-
-Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
-
-Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
-
-## How long should I test an ASR rule in audit mode before enabling it?
-
-Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
-
-## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
-
-In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
-
-The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
-
-From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
-
-## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
-
-Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
-
-## Do ASR rules cover all applications by default?
-
-It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
-
-## Does ASR support third-party security solutions?
-
-ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
-
-## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline?
-
-Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint.
-
-## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
-
-Try opening the indexing options directly from Windows 10.
-
-1. Select the **Search** icon on the Windows taskbar.
-
-1. Enter **Indexing options** into the search box.
-
-## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
-
-No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
-
-## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
-
-This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
-
-Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
-
-## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
-
-A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
-
-Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
-
-## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
-
-Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
-
-## See also
-
-* [Attack surface reduction overview](attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
deleted file mode 100644
index 846bc4dbca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ /dev/null
@@ -1,467 +0,0 @@
----
-title: Use attack surface reduction rules to prevent malware infection
-description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer: sugamar, jcedola
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
-
----
-
-# Use attack surface reduction rules to prevent malware infection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Why attack surface reduction rules are important
-
-Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
-
-Attack surface reduction rules target certain software behaviors, such as:
-
-- Launching executable files and scripts that attempt to download or run files;
-- Running obfuscated or otherwise suspicious scripts; and
-- Performing behaviors that apps don't usually initiate during normal day-to-day work.
-
-Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
-
-For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
-
-## Assess rule impact before deployment
-
-You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
-
-:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
-
-In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
-
-## Audit mode for evaluation
-
-Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
-
-## Warn mode for users
-
-(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
-
-Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
-
-### Requirements for warn mode to work
-
-Warn mode is supported on devices running the following versions of Windows:
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
-
-Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
-
-In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
-- Minimum platform release requirement: `4.18.2008.9`
-- Minimum engine release requirement: `1.1.17400.5`
-
-For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
-
-### Cases where warn mode is not supported
-
-Warn mode is not supported for the following attack surface reduction rules:
-
-- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)
-- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)
-- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
-
-In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
-
-## Notifications and alerts
-
-Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
-
-In addition, when certain attack surface reduction rules are triggered, alerts are generated.
-
-Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
-
-## Advanced hunting and attack surface reduction events
-
-You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
-
-For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.
-
-For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
-
-## Attack surface reduction features across Windows versions
-
-You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
-
-## Review attack surface reduction events in the Microsoft Defender Security Center
-
-Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.
-
-You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
-
-Here is an example query:
-
-```kusto
-DeviceEvents
-| where ActionType startswith 'Asr'
-```
-
-## Review attack surface reduction events in Windows Event Viewer
-
-You can review the Windows event log to view events generated by attack surface reduction rules:
-
-1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
-3. Under **Actions**, select **Import custom view...**.
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
-5. Select **OK**.
-
-You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
-
-|Event ID | Description |
-|:---|:---|
-|5007 | Event when settings are changed |
-|1121 | Event when rule fires in Block-mode |
-|1122 | Event when rule fires in Audit-mode |
-
-The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
-
-## Attack surface reduction rules
-
-The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
-
-If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
-
-
-| Rule name | GUID | File & folder exclusions | Minimum OS supported |
-|:-----|:-----:|:-----|:-----|
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-
-### Block Adobe Reader from creating child processes
-
-This rule prevents attacks by blocking Adobe Reader from creating processes.
-
-Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
-
-This rule was introduced in:
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: `Process creation from Adobe Reader (beta)`
-
-Configuration Manager name: Not yet available
-
-GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
-
-### Block all Office applications from creating child processes
-
-This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
-
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Office apps launching child processes`
-
-Configuration Manager name: `Block Office application from creating child processes`
-
-GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
-
-### Block credential stealing from the Windows local security authority subsystem
-
-This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
-
-LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
-
-> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Flag credential stealing from the Windows local security authority subsystem`
-
-Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
-
-GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
-
-### Block executable content from email client and webmail
-
-This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
-
-Microsoft Endpoint Manager name: `Block executable content from email client and webmail`
-
-GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
-
-> [!NOTE]
-> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use:
-> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
-> - Endpoint Manager: Block executable content download from email and webmail clients.
-> - Group Policy: Block executable content from email client and webmail.
-
-### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
-This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
-
-Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
-
-> [!IMPORTANT]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
->
->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
-
-Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
-
-GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
-
-### Block execution of potentially obfuscated scripts
-
-This rule detects suspicious properties within an obfuscated script.
-
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Obfuscated js/vbs/ps/macro code`
-
-Configuration Manager name: `Block execution of potentially obfuscated scripts`
-
-GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
-
-### Block JavaScript or VBScript from launching downloaded executable content
-
-This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
-
-Although not common, line-of-business applications sometimes use scripts to download and launch installers.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
-
-Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
-
-GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
-
-### Block Office applications from creating executable content
-
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-
-Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
-
-Intune name: `Office apps/macros creating executable content`
-
-SCCM name: `Block Office applications from creating executable content`
-
-GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
-
-### Block Office applications from injecting code into other processes
-
-This rule blocks code injection attempts from Office apps into other processes.
-
-Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
-
-There are no known legitimate business purposes for using code injection.
-
-This rule applies to Word, Excel, and PowerPoint.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Office apps injecting code into other processes (no exceptions)`
-
-Configuration Manager name: `Block Office applications from injecting code into other processes`
-
-GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
-
-### Block Office communication application from creating child processes
-
-This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
-
-This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
-
-> [!NOTE]
-> This rule applies to Outlook and Outlook.com only.
-
-This rule was introduced in:
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: `Process creation from Office communication products (beta)`
-
-Configuration Manager name: Not available
-
-GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
-
-### Block persistence through WMI event subscription
-
-This rule prevents malware from abusing WMI to attain persistence on a device.
-
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
-
-This rule was introduced in:
-- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
-- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
-
-Intune name: Not available
-
-Configuration Manager name: Not available
-
-GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
-
-### Block process creations originating from PSExec and WMI commands
-
-This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
-
-> [!WARNING]
-> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: `Process creation from PSExec and WMI commands`
-
-Configuration Manager name: Not applicable
-
-GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
-
-### Block untrusted and unsigned processes that run from USB
-
-With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Untrusted and unsigned processes that run from USB`
-
-Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
-
-GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
-
-### Block Win32 API calls from Office macros
-
-This rule prevents VBA macros from calling Win32 APIs.
-
-Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Win32 imports from Office macro code`
-
-Configuration Manager name: `Block Win32 API calls from Office macros`
-
-GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
-
-### Use advanced protection against ransomware
-
-This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
-
-> [!NOTE]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: `Advanced ransomware protection`
-
-Configuration Manager name: `Use advanced protection against ransomware`
-
-GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
-
-## See also
-
-- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
deleted file mode 100644
index 3ebf7ef6a5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Test how Microsoft Defender ATP features work in audit mode
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
-keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Test how Microsoft Defender for Endpoint features work in audit mode
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-
-You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-
-The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
-
-To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
-
-You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
-
-You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
- Audit options | How to enable audit mode | How to view events
--|-|-
-Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
-
-## Related topics
-
-* [Protect devices from exploits](exploit-protection.md)
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Protect your network](network-protection.md)
-* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
deleted file mode 100644
index 0fb359840a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: View details and results of automated investigations
-description: Use the action center to view details and results following an automated investigation
-keywords: action, center, autoir, automated, investigation, response, remediation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
-ms.date: 09/24/2020
-ms.technology: mde
----
-
-# View details and results of automated investigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
-
-If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
-
->[!NOTE]
->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation.
-
-## The Action center
-
-
-
-The action center consists of two main tabs: **Pending actions** and **History**.
-- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected).
-- **History** Acts as an audit log for all of the following items:
- - Remediation actions that were taken as a result of an automated investigation
- - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
- - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone)
-
-Use the **Customize columns** menu to select columns that you'd like to show or hide.
-
-You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-## The Investigations page
-
-
-
-On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
-
-By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
-
-Use the **Customize columns** menu to select columns that you'd like to show or hide.
-
-From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-### Filters for the list of investigations
-
-On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
-
-|Filter |Description |
-|---------|---------|
-|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
-|**Triggering alert** | The alert that initiated the automated investigation |
-|**Detection source** |The source of the alert that initiated the automated investigation |
-|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. |
-|**Threat** |The category of threat detected during the automated investigation |
-|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
-|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
-
-## Automated investigation status
-
-An automated investigation can have one of the following status values:
-
-|Status |Description |
-|---------|---------|
-| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. |
-| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
-| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
-| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. |
-| Remediated | The investigation finished and all actions were approved (fully remediated). |
-| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
-| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
-| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.
If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
-| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
-| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. |
-| Terminated by user | A user stopped the investigation before it could complete. |
-
-
-## View details about an automated investigation
-
-
-
-You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information.
-
-In this view, you'll see the name of the investigation, when it started and ended.
-
-### Investigation graph
-
-The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
-
-A progress ring shows two status indicators:
-- Orange ring - shows the pending portion of the investigation
-- Green ring - shows the running time portion of the investigation
-
-
-
-In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
-
-The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
-
-From this view, you can also view and add comments and tags about the investigation.
-
-### Alerts
-
-The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
-
-Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing.
-
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history.
-
-Clicking on an alert title brings you the alert page.
-
-### Devices
-
-The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
-
-Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
-
-Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users.
-
-Clicking on a device name brings you the device page.
-
-### Evidence
-
-The **Evidence** tab shows details related to threats associated with this investigation.
-
-### Entities
-
-The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found.
-
-### Log
-
-The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
-
-As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
-
-Available filters include action type, action, status, device name, and description.
-
-You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
-
-### Pending actions
-
-If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image.
-
-
-
-When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
-
-## Next steps
-
-- [View and approve remediation actions](manage-auto-investigation.md)
-
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-
-## See also
-
-- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
deleted file mode 100644
index 93e3809c2a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.date: 12/07/2020
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
-ms.custom: AIR
----
-
-# Overview of automated investigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-
-
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. Want to see how it works? Watch the following video:
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
-
-The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
-
-> [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
-
-## How the automated investigation starts
-
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. To learn more about what happens after a verdict is reached, see [Automated investigation results and remediation actions](manage-auto-investigation.md#automated-investigation-results-and-remediation-actions).
-
->[!NOTE]
->Currently, AIR only supports the following OS versions:
->- Windows Server 2019
->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
->- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
-
-## Details of an automated investigation
-
-During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
-
-|Tab |Description |
-|:--|:--|
-|**Alerts**| The alert(s) that started the investigation.|
-|**Devices** |The device(s) where the threat was seen.|
-|**Evidence** |The entities that were found to be malicious during an investigation.|
-|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
-|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
-
-> [!IMPORTANT]
-> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
-
-## How an automated investigation expands its scope
-
-While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-
-If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
-
-## How threats are remediated
-
-As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-
-As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).)
-
-Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA).
-
-All remediation actions, whether pending or completed, can be viewed in the [Action Center](auto-investigation-action-center.md) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
-
-## Next steps
-
-- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md)
-- [Learn more about automation levels](automation-levels.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-
-## See also
-
-- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
-- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
-- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
deleted file mode 100644
index e17539d14a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Automation levels in automated investigation and remediation
-description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
-keywords: automated, investigation, level, defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.date: 10/22/2020
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
-ms.custom: AIR
----
-
-# Automation levels in automated investigation and remediation capabilities
-
-Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.
-- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
-- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)
-- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-> [!TIP]
-> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
-
-## Levels of automation
-
-The following table describes each level of automation and how it works.
-
-|Automation level | Description|
-|:---|:---|
-|**Full - remediate threats automatically**
(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.
***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* |
-|**Semi - require approval for any remediation**
(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.
*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
-|**Semi - require approval for core folders remediation**
(also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).
Remediation actions can be taken automatically on files or executables that are in other (non-core) folders.
Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.
Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
-|**Semi - require approval for non-temp folders remediation**
(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders.
Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*`
Remediation actions can be taken automatically on files or executables that are in temporary folders.
Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.
Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
-|**No automated response**
(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.
***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |
-
-## Important points about automation levels
-
-- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
-
-- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
-
-- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out.
-
-- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-## Next steps
-
-- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
-
-- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
deleted file mode 100644
index 9846c04523..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Use basic permissions to access Microsoft Defender Security Center
-description: Learn how to use basic permissions to access the Microsoft Defender Advanced Threat Protection portal.
-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Use basic permissions to access the portal
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- Azure Active Directory
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
-
-Refer to the instructions below to use basic permissions management.
-
-You can use either of the following solutions:
-- Azure PowerShell
-- Azure portal
-
-For granular control over permissions, [switch to role-based access control](rbac.md).
-
-## Assign user access using Azure PowerShell
-
-You can assign users with one of the following levels of permissions:
-- Full access (Read and Write)
-- Read-only access
-
-### Before you begin
-
-- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
-
- > [!NOTE]
- > You need to run the PowerShell cmdlets in an elevated command-line.
-
-- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0).
-
-**Full access**
-Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
-Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
-
-**Read-only access**
-Users with read-only access can log in, view all alerts, and related information.
-They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
-Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role.
-
-Use the following steps to assign security roles:
-
-- For **read and write** access, assign users to the security administrator role by using the following command:
-
- ```PowerShell
- Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
- ```
-
-- For **read-only** access, assign users to the security reader role by using the following command:
-
- ```PowerShell
- Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
- ```
-
-For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
-
-## Assign user access using the Azure portal
-
-For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
-
-## Related topic
-
-- [Manage portal access using RBAC](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
deleted file mode 100644
index fb60ac8f53..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ /dev/null
@@ -1,125 +0,0 @@
----
-title: Behavioral blocking and containment
-description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP
-keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: shwetaj
-audience: ITPro
-ms.topic: article
-ms.prod: m365-security
-ms.localizationpriority: medium
-ms.custom:
- - next-gen
- - edr
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.technology: mde
----
-
-# Behavioral blocking and containment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Overview
-
-Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](https://docs.microsoft.com/windows/security).
-
-Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities.
-
-:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
-
-Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing.
-
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
-
-- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
-
-- [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
-
-With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
-
-The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
-
-:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment":::
-
-## Components of behavioral blocking and containment
-
-- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
-
-- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
-
-- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
-
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
-
-Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
-
-## Examples of behavioral blocking and containment in action
-
-Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
-
-- Credential dumping from LSASS
-- Cross-process injection
-- Process hollowing
-- User Account Control bypass
-- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
-- Contacting Command and Control (C&C) to download payloads
-- Coin mining
-- Boot record modification
-- Pass-the-hash attacks
-- Installation of root certificate
-- Exploitation attempt for various vulnerabilities
-
-Below are two real-life examples of behavioral blocking and containment in action.
-
-### Example 1: Credential theft attack against 100 organizations
-
-As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
-
-Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker’s techniques at two points in the attack chain:
-- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
-- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
-
-While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
-
-:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
-
-This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-
-### Example 2: NTLM relay - Juicy Potato malware variant
-
-As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
-
-:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
-
-The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
-
-Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
-
-:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
-
-A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
-
-This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
-
-## Next steps
-
-- [Learn more about Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
-
-- [Configure your attack surface reduction rules](attack-surface-reduction.md)
-
-- [Enable EDR in block mode](edr-in-block-mode.md)
-
-- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
-
-- [Get an overview of Microsoft 365 Defender ](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
deleted file mode 100644
index d7e2bcdf23..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Check the health state of the sensor in Microsoft Defender ATP
-description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data.
-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Check sensor health state in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-
-The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
-
-There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:
-- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected.
-- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month.
-
-Clicking any of the groups directs you to **Devices list**, filtered according to your choice.
-
-
-
-On **Devices list**, you can filter the health state list by the following status:
-- **Active** - Devices that are actively reporting to the Defender for Endpoint service.
-- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
- - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
- - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
-- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service.
-
-You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
-
->[!NOTE]
->Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
-
-
-
-You can view the device details when you click on a misconfigured or inactive device.
-
-## Related topic
-- [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
deleted file mode 100644
index 095899b2c9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Client behavioral blocking
-description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
-keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: shwetaj
-audience: ITPro
-ms.topic: article
-ms.prod: m365-security
-ms.localizationpriority: medium
-ms.custom:
- - next-gen
- - edr
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.technology: mde
----
-
-# Client behavioral blocking
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Overview
-
-Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
-
-:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
-
-Antivirus protection works best when paired with cloud protection.
-
-## How client behavioral blocking works
-
-[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
-
-Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
-
-## Behavior-based detections
-
-Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
-
-
-|Tactic | Detection threat name |
-|----|----|
-|Initial Access | Behavior:Win32/InitialAccess.*!ml |
-|Execution | Behavior:Win32/Execution.*!ml |
-|Persistence | Behavior:Win32/Persistence.*!ml |
-|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml |
-|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml |
-|Credential Access | Behavior:Win32/CredentialAccess.*!ml |
-|Discovery | Behavior:Win32/Discovery.*!ml |
-|Lateral Movement | Behavior:Win32/LateralMovement.*!ml |
-|Collection | Behavior:Win32/Collection.*!ml |
-|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
-|Exfiltration | Behavior:Win32/Exfiltration.*!ml |
-|Impact | Behavior:Win32/Impact.*!ml |
-|Uncategorized | Behavior:Win32/Generic.*!ml |
-
-> [!TIP]
-> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
-
-
-## Configuring client behavioral blocking
-
-If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured:
-
-- [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
-
-- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
-
-- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
-
-- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
-
-## Related articles
-
-- [Behavioral blocking and containment](behavioral-blocking-containment.md)
-
-- [Feedback-loop blocking](feedback-loop-blocking.md)
-
-- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
-
-- [Helpful Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
deleted file mode 100644
index dea6142742..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Collect investigation package API
-description: Use this API to create calls related to the collecting an investigation package from a device.
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Collect investigation package API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Collect investigation package from a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
-```
-
-```json
-{
- "Comment": "Collect forensics due to alert 1234"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
deleted file mode 100644
index c0c401ff5c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Common Microsoft Defender ATP API errors
-description: List of common Microsoft Defender ATP API errors with descriptions.
-keywords: apis, mdatp api, errors, troubleshooting
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Common REST API error codes
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs.
-* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
-* Note that the message is a free text that can be changed.
-* At the bottom of the page you can find response examples.
-
-Error code |HTTP status code |Message
-:---|:---|:---
-BadRequest | BadRequest (400) | General Bad Request error message.
-ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
-InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
-InvalidRequestBody | BadRequest (400) | Invalid request body.
-InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
-InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
-InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
-InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
-MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
-MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
-OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
-ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
-Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header).
-Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
-DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
-DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
-NotFound | Not Found (404) | General Not Found error message.
-ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
-InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
-TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU.
-
-## Body parameters are case-sensitive
-
-The submitted body parameters are currently case-sensitive.
-
If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
-
We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example.
-
-## Correlation request ID
-
-Each error response contains a unique ID parameter for tracking.
-
The property name of this parameter is "target".
-
When contacting us about an error, attaching this ID will help find the root cause of the problem.
-
-## Examples
-
-```json
-{
- "error": {
- "code": "ResourceNotFound",
- "message": "Machine 123123123 was not found",
- "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
- }
-}
-```
-
-
-```json
-{
- "error": {
- "code": "InvalidRequestBody",
- "message": "Request body is incorrect",
- "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
- }
-}
-```
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md
deleted file mode 100644
index d229d8aea0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/community.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Access the Microsoft Defender ATP Community Center
-description: Access the Microsoft Defender ATP Community Center to share experiences, engange, and learn about the product.
-keywords: community, community center, tech community, conversation, announcements
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-
-# Access the Microsoft Defender for Endpoint Community Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
-The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
-
-There are several spaces you can explore to learn about specific information:
-- Announcements
-- What's new
-- Threat Intelligence
-
-
-There are several ways you can access the Community Center:
-- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page.
-- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
-
-
-You can instantly view and read conversations that have been posted in the community.
-
-To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
deleted file mode 100644
index 96b9d372c8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Enable Conditional Access to better protect users, devices, and data
-description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
-keywords: conditional access, block applications, security level, intune,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Enable Conditional Access to better protect users, devices, and data
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
-
-Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1]
-
-With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
-
-You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
-
-The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
-
-The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.
-
-## Understand the Conditional Access flow
-Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
-
-The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
-
-Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
-
-For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
-
-In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
-
- A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
-
-To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
-
-There are three ways to address a risk:
-1. Use Manual or automated remediation.
-2. Resolve active alerts on the device. This will remove the risk from the device.
-3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
-
-Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
-
-When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
-
-The following example sequence of events explains Conditional Access in action:
-
-1. A user opens a malicious file and Defender for Endpoint flags the device as high risk.
-2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
-3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications.
-4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
-5. Users can now access applications.
-
-
-## Related topic
-- [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
deleted file mode 100644
index 873f96e24e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
-description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
-keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure Micro Focus ArcSight to pull Defender for Endpoint detections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
-
-You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections.
-
->[!Note]
->- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections
->- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
-
-## Before you begin
-
-Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
-
-This section guides you in getting the necessary information to set and use the required configuration files correctly.
-
-- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
-
-- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- - OAuth 2.0 Token refresh URL
- - OAuth 2.0 Client ID
- - OAuth 2.0 Client secret
-
-- Have the following configuration files ready:
- - WDATP-connector.properties
- - WDATP-connector.jsonparser.properties
-
- You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
-
-- Make sure you generate the following tokens and have them ready:
- - Access token
- - Refresh token
-
- You can generate these tokens from the **SIEM integration** setup section of the portal.
-
-## Install and configure Micro Focus ArcSight FlexConnector
-
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
-
-1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
-
-2. Follow the installation wizard through the following tasks:
- - Introduction
- - Choose Install Folder
- - Choose Install Set
- - Choose Shortcut Folder
- - Pre-Installation Summary
- - Installing...
-
- You can keep the default values for each of these tasks or modify the selection to suit your requirements.
-
-3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
-
- - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
-
- - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
-
- > [!NOTE]
- >
- > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
-
-4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
-
-5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
-
-6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
-
-
-
-
-
- Field
- Value
-
-
- Configuration File
- Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
- For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
- Events URL
- Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
-
- For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
-
- Authentication Type
- OAuth 2
- OAuth 2 Client Properties file
- Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
-
-
-
- Refresh Token
- You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
-
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Defender for Endpoint. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
-
-
-7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
-
- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
-
- If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
-
-8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
-
-9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
-
-10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
-
-11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
-
-12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
-
-13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
-
-14. Select **Install as a service** and click **Next**.
-
-15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
-
-16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
-
-17. Finish the installation by selecting **Exit** and **Next**.
-
-## Install and configure the Micro Focus ArcSight console
-
-1. Follow the installation wizard through the following tasks:
- - Introduction
- - License Agreement
- - Special Notice
- - Choose ArcSight installation directory
- - Choose Shortcut Folder
- - Pre-Installation Summary
-
-2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
-
-3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
-
-4. Select **Use direct connection**, then click **Next**.
-
-5. Select **Password Based Authentication**, then click **Next**.
-
-6. Select **This is a single user installation. (Recommended)**, then click **Next**.
-
-7. Click **Done** to quit the installer.
-
-8. Login to the Micro Focus ArcSight console.
-
-9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
-
-10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
-
-You can now run queries in the Micro Focus ArcSight console.
-
-Defender for Endpoint detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
-
-
-## Troubleshooting Micro Focus ArcSight connection
-
-**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
-
-**Symptom:** You get the following error message:
-
-`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
-
-**Solution:**
-
-1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
-
-2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
- `reauthenticate=true`.
-
-3. Restart the connector by running the following command: `arcsight.bat connectors`.
-
- A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
-
-> [!NOTE]
-> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
-
-## Related topics
-- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
-- [Configure Splunk to pull Defender for Endpoint detections](configure-splunk.md)
-- [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
deleted file mode 100644
index 3db29d7045..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Configure attack surface reduction
-description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction.
-keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure attack surface reduction
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-You can configure attack surface reduction with a number of tools, including:
-
-* Microsoft Intune
-* Microsoft Endpoint Configuration Manager
-* Group Policy
-* PowerShell cmdlets
-
-Article | Description
--|-
-[Enable hardware-based isolation for Microsoft Edge](../microsoft-defender-application-guard/install-md-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
-[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
-[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains
-[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware
-[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
deleted file mode 100644
index c7e2f8158e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
-keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
----
-
-# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
-
-To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups).
-
-## Turn on automated investigation and remediation
-
-1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, choose **Settings**.
-3. In the **General** section, select **Advanced features**.
-4. Turn on both **Automated Investigation** and **Automatically resolve alerts**.
-
-## Set up device groups
-
-1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
-2. Select **+ Add device group**.
-3. Create at least one device group, as follows:
- - Specify a name and description for the device group.
- - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
- - In the **Members** section, use one or more conditions to identify and include devices.
- - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating.
-4. Select **Done** when you're finished setting up your device group.
-
-## Next steps
-
-- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
-
-- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation)
-
-- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
deleted file mode 100644
index b6c75e30e5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Configure Conditional Access in Microsoft Defender ATP
-description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
-keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure Conditional Access in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-This section guides you through all the steps you need to take to properly implement Conditional Access.
-
-### Before you begin
->[!WARNING]
->It's important to note that Azure AD registered devices is not supported in this scenario.
->Only Intune enrolled devices are supported.
-
-
-You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
-
-
-- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
-- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
-
-
-
-There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
-
-It's important to note the required roles to access these portals and implement Conditional access:
-- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
-- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
-- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
-
-
-> [!NOTE]
-> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
-
-Take the following steps to enable Conditional Access:
-- Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
-- Step 2: Turn on the Defender for Endpoint integration in Intune
-- Step 3: Create the compliance policy in Intune
-- Step 4: Assign the policy
-- Step 5: Create an Azure AD Conditional Access policy
-
-
-### Step 1: Turn on the Microsoft Intune connection
-1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
-2. Toggle the Microsoft Intune setting to **On**.
-3. Click **Save preferences**.
-
-
-### Step 2: Turn on the Defender for Endpoint integration in Intune
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Device compliance** > **Microsoft Defender ATP**.
-3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**.
-4. Click **Save**.
-
-
-### Step 3: Create the compliance policy in Intune
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies** > **Create policy**.
-3. Enter a **Name** and **Description**.
-4. In **Platform**, select **Windows 10 and later**.
-5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
-
- - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
- - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
- - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
- - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
-
-6. Select **OK**, and **Create** to save your changes (and create the policy).
-
-### Step 4: Assign the policy
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies**> select your Microsoft Defender ATP compliance policy.
-3. Select **Assignments**.
-4. Include or exclude your Azure AD groups to assign them the policy.
-5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
-
-### Step 5: Create an Azure AD Conditional Access policy
-1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
-2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
-3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
-
-4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-
-5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
-
-6. Select **Enable policy**, and then **Create** to save your changes.
-
-For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
deleted file mode 100644
index 834863b741..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Configure alert notifications in Microsoft Defender ATP
-description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria.
-keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure alert notifications in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
-
-You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
-
-> [!NOTE]
-> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
-
-You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md).
-
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
-Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope.
-Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
-
-The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
-
-
-## Create rules for alert notifications
-You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
-
-
-1. In the navigation pane, select **Settings** > **Alert notifications**.
-
-2. Click **Add notification rule**.
-
-3. Specify the General information:
- - **Rule name** - Specify a name for the notification rule.
- - **Include organization name** - Specify the customer name that appears on the email notification.
- - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
- - **Include device information** - Includes the device name in the email alert body.
-
- >[!NOTE]
- > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data.
-
- - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md).
- - **Alert severity** - Choose the alert severity level.
-
-4. Click **Next**.
-
-5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses.
-
-6. Check that email recipients are able to receive the email notifications by selecting **Send test email**.
-
-7. Click **Save notification rule**.
-
-## Edit a notification rule
-1. Select the notification rule you'd like to edit.
-
-2. Update the General and Recipient tab information.
-
-3. Click **Save notification rule**.
-
-
-## Delete notification rule
-
-1. Select the notification rule you'd like to delete.
-
-2. Click **Delete**.
-
-
-## Troubleshoot email notifications for alerts
-This section lists various issues that you may encounter when using email notifications for alerts.
-
-**Problem:** Intended recipients report they are not getting the notifications.
-
-**Solution:** Make sure that the notifications are not blocked by email filters:
-
-1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
-2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
-3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
-
-## Related topics
-- [Update data retention settings](data-retention-settings.md)
-- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
deleted file mode 100644
index 1aef8eda63..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ /dev/null
@@ -1,239 +0,0 @@
----
-title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
-description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
-keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Onboard Windows 10 devices using Group Policy
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Group Policy
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
-
-
-> [!NOTE]
-> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
-
-> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
-
-## Onboard devices using Group Policy
-
-[](images/onboard-gp.png#lightbox)
-
-
-Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-
-
-
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- a. In the navigation pane, select **Settings** > **Onboarding**.
-
- b. Select Windows 10 as the operating system.
-
- c. In the **Deployment method** field, select **Group policy**.
-
- d. Click **Download package** and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-
-4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
-
-6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-
-7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-
-8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
-
-9. Click **OK** and close any open GPMC windows.
-
->[!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
-
-## Additional Defender for Endpoint configuration settings
-For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-
-You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
-
-### Configure sample collection settings
-1. On your GP management device, copy the following files from the
- configuration package:
-
- a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
-
- b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
-
- If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the
- configuration package:
-
- a. Copy _AtpConfiguration.admx_ into _\\\\\
-Key type is a D-WORD.
-Possible values are:
-- 0 - doesn't allow sample sharing from this device
-- 1 - allows sharing of all file types from this device
-
-The default value in case the registry key doesn’t exist is 1.
-
-For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
-
-
-## Other recommended configuration settings
-After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
-
-### Device collection configuration
-If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
-
-
-### Next generation protection configuration
-The following configuration settings are recommended:
-
-**Scan**
-- Scan removable storage devices such as USB drives: Yes
-
-**Real-time Protection**
-- Enable Behavioral Monitoring: Yes
-- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
-
-**Cloud Protection Service**
-- Cloud Protection Service membership type: Advanced membership
-
-**Attack surface reduction**
-Configure all available rules to Audit.
-
->[!NOTE]
-> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
-
-
-**Network protection**
-Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
-
-
-**Controlled folder access**
-Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
-
-For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
-
-
-## Offboard devices using Configuration Manager
-
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
-
-> [!NOTE]
-> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-
-### Offboard devices using Microsoft Endpoint Manager current branch
-
-If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
-
-### Offboard devices using System Center 2012 R2 Configuration Manager
-
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- a. In the navigation pane, select **Settings** > **Offboarding**.
-
- b. Select Windows 10 as the operating system.
-
- c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
-
- d. Select **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-
-3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
-
- a. Choose a predefined device collection to deploy the package to.
-
-> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
-
-
-## Monitor device configuration
-
-If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
-
-If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
-
-1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
-
-2. Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service).
-
-### Confirm the configuration package has been correctly deployed
-
-1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
-
-2. Select **Overview** and then **Deployments**.
-
-3. Select on the deployment with the package name.
-
-4. Review the status indicators under **Completion Statistics** and **Content Status**.
-
- If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md).
-
- 
-
-### Check that the devices are compliant with the Microsoft Defender ATP service
-
-You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
-
-This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices.
-
-Monitor the following registry key entry:
-```
-Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
-Name: “OnboardingState”
-Value: “1”
-```
-For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
-- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
-- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
deleted file mode 100644
index 4bfafb3193..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: Onboard Windows 10 devices using a local script
-description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
-keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Onboard Windows 10 devices using a local script
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
-
-You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
-
-> [!IMPORTANT]
-> This script has been optimized for use on up to 10 devices.
->
-> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
-
-## Onboard devices
-
-[](images/onboard-script.png#lightbox)
-
-
-Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-
-
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
-
-
-2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
- 
-
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
-
-5. Press the **Enter** key or click **OK**.
-
-For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md).
-
-
->[!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md).
-
-## Configure sample collection settings
-For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-
-You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
-
-The configuration is set through the following registry key entry:
-
-```console
-Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
-Name: "AllowSampleCollection"
-Value: 0 or 1
-```
-Where:
-Name type is a D-WORD.
-Possible values are:
-- 0 - doesn't allow sample sharing from this device
-- 1 - allows sharing of all file types from this device
-
-The default value in case the registry key doesn’t exist is 1.
-
-
-## Offboard devices using a local script
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-> [!NOTE]
-> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Offboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-
-3. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
- 
-
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
-
-5. Press the **Enter** key or click **OK**.
-
-> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
-
-
-## Monitor device configuration
-You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running.
-
-Monitoring can also be done directly on the portal, or by using the different deployment tools.
-
-### Monitor devices using the portal
-1. Go to Microsoft Defender Security Center.
-
-2. Click **Devices list**.
-
-3. Verify that devices are appearing.
-
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
-- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md)
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
deleted file mode 100644
index 7eb2606edf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
-description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
-keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/16/2020
-ms.technology: mde
----
-
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Virtual desktop infrastructure (VDI) devices
-
->[!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
-
-## Onboard non-persistent virtual desktop infrastructure (VDI) devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Defender for Endpoint supports non-persistent VDI session onboarding.
-
->[!Note]
->To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019.
->
->While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported.
-
-There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
-
-- Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
-- The device name is typically reused for new sessions.
-
-VDI devices can appear in Defender for Endpoint portal as either:
-
-- Single entry for each device.
-Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
-- Multiple entries for each device - one for each session.
-
-The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
-
->[!WARNING]
-> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
-
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
-
- 1. Click **Download package** and save the .zip file.
-
-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
-
- 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
-
- 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
-
- > [!NOTE]
- > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
-
-3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
-
- > [!NOTE]
- > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-
-4. Depending on the method you'd like to implement, follow the appropriate steps:
- **For single entry for each device**:
-
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
-
- **For multiple entries for each device**:
-
- Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
-
-5. Test your solution:
-
- 1. Create a pool with one device.
-
- 1. Logon to device.
-
- 1. Logoff from device.
-
- 1. Logon to device with another user.
-
- 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
- **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
-
-6. Click **Devices list** on the Navigation pane.
-
-7. Use the search function by entering the device name and select **Device** as search type.
-
-## Updating non-persistent virtual desktop infrastructure (VDI) images
-As a best practice, we recommend using offline servicing tools to patch golden/master images.
-For example, you can use the below commands to install an update while the image remains offline:
-
-```console
-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
-DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
-DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
-```
-
-For more information on DISM commands and offline servicing, please refer to the articles below:
-- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
-- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
-- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
-
-If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
-
-1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
-
-2. Ensure the sensor is stopped by running the command below in a CMD window:
-
- ```console
- sc query sense
- ```
-
-3. Service the image as needed.
-
-4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
-
- ```console
- PsExec.exe -s cmd.exe
- cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
- del *.* /f /s /q
- REG DELETE “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
- exit
- ```
-
-5. Re-seal the golden/master image as you normally would.
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
deleted file mode 100644
index 7bf86ff101..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Onboarding tools and methods for Windows 10 devices
-description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Onboarding tools and methods for Windows 10 devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
-
-Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
-
-The following deployment tools and methods are supported:
-
-- Group Policy
-- Microsoft Endpoint Configuration Manager
-- Mobile Device Management (including Microsoft Intune)
-- Local script
-
-## In this section
-Topic | Description
-:---|:---
-[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
-[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
-[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
-[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
-[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
deleted file mode 100644
index d42925b857..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Optimize ASR rule deployment and detections
-description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Optimize ASR rule deployment and detections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
-
-[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
-
-
-*Attack surface management card*
-
-The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
-
-* Understand how ASR rules are currently deployed in your organization.
-* Review ASR detections and identify possible incorrect detections.
-* Analyze the impact of exclusions and generate the list of file paths to exclude.
-
-Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
-
-
-The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
-
-> [!NOTE]
-> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
-
-For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
-
-**Related topics**
-
-* [Ensure your devices are configured properly](configure-machines.md)
-* [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md)
-* [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
deleted file mode 100644
index a755aece6d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Get devices onboarded to Microsoft Defender ATP
-description: Track onboarding of Intune-managed devices to Microsoft Defender ATP and increase onboarding rate.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get devices onboarded to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
-
-Before you can track and manage onboarding of devices:
-- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
-- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
-
-## Discover and track unprotected devices
-
-The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices.
-
-
-*Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
-
->[!NOTE]
->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices.
-
-## Onboard more devices with Intune profiles
-
-Defender for Endpoint provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Defender for Endpoint sensor to select devices, effectively onboarding these devices to the service.
-
-From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
-
-
- *Microsoft Defender ATP device compliance page on Intune device management*
-
->[!TIP]
->Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
-
->[!NOTE]
-> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
-
-From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either:
-
-- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
-- Create the device configuration profile from scratch.
-
-For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-## Related topics
-- [Ensure your devices are configured properly](configure-machines.md)
-- [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
deleted file mode 100644
index fdb402917b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Increase compliance to the Microsoft Defender ATP security baseline
-description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
-keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Increase compliance to the Microsoft Defender for Endpoint security baseline
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection.
-
-To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
-
-Before you can deploy and track compliance to security baselines:
-- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
-- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
-
-## Compare the Microsoft Defender ATP and the Windows Intune security baselines
-The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
-
-- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
-- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
-
-Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
-
->[!NOTE]
->The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
-
-## Monitor compliance to the Defender for Endpoint security baseline
-
-The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline.
-
-
-*Card showing compliance to the Defender for Endpoint security baseline*
-
-Each device is given one of the following status types:
-
-- **Matches baseline**—device settings match all the settings in the baseline
-- **Does not match baseline**—at least one device setting doesn't match the baseline
-- **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state
-- **Not applicable**—At least one baseline setting isn't applicable on the device
-
-To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
-
->[!NOTE]
->You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
-
-## Review and assign the Microsoft Defender for Endpoint security baseline
-
-Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
-
-1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
-
- >[!TIP]
- > Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
-
-
-2. Create a new profile.
-
- 
- *Microsoft Defender for Endpoint security baseline overview on Intune*
-
-3. During profile creation, you can review and adjust specific settings on the baseline.
-
- 
- *Security baseline options during profile creation on Intune*
-
-4. Assign the profile to the appropriate device group.
-
- 
- *Assigning the security baseline profile on Intune*
-
-5. Create the profile to save it and deploy it to the assigned device group.
-
- 
- *Creating the security baseline profile on Intune*
-
->[!TIP]
->Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-## Related topics
-- [Ensure your devices are configured properly](configure-machines.md)
-- [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
deleted file mode 100644
index b48a92f312..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Ensure your devices are configured properly
-description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Ensure your devices are configured properly
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
-
-- Onboard to Microsoft Defender for Endpoint
-- Meet or exceed the Defender for Endpoint security baseline configuration
-- Have strategic attack surface mitigations in place
-
-Click **Configuration management** from the navigation menu to open the Device configuration management page.
-
-
-*Device configuration management page*
-
-You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
-
-In doing so, you benefit from:
-- Comprehensive visibility of the events on your devices
-- Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators
-- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
-- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
-
-## Enroll devices to Intune management
-
-Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices.
-
-Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
-
->[!NOTE]
->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
-
->[!TIP]
->To optimize device management through Intune, [connect Intune to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
-
-## Obtain required permissions
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
-
-If you have been assigned other roles, ensure you have the necessary permissions:
-
-- Full permissions to device configurations
-- Full permissions to security baselines
-- Read permissions to device compliance policies
-- Read permissions to the organization
-
-
-*Device configuration permissions on Intune*
-
->[!TIP]
->To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
-
-## In this section
-Topic | Description
-:---|:---
-[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune.
-[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
-[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
deleted file mode 100644
index f961d52e99..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Configure and manage Microsoft Threat Experts capabilities
-ms.reviewer:
-description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work.
-keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
-search.product: Windows 10
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Configure and manage Microsoft Threat Experts capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Before you begin
-> [!NOTE]
-> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-
-Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
-
-Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
-
-## Register to Microsoft Threat Experts managed threat hunting service
-If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal.
-
-1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
-
-2. Click **Apply**.
-
- 
-
-3. Enter your name and email address so that Microsoft can get back to you on your application.
-
- 
-
-4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
-
- 
-
-6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
-
-## Receive targeted attack notification from Microsoft Threat Experts
-You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
-- The Defender for Endpoint portal's **Alerts** dashboard
-- Your email, if you choose to configure it
-
-To receive targeted attack notifications through email, create an email notification rule.
-
-### Create an email notification rule
-You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
-
-## View the targeted attack notification
-You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.
-
-1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
-
-2. From the dashboard, select the same alert topic that you got from the email, to view the details.
-
-
-## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
-
-> [!NOTE]
-> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
-> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
-
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
-
-2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
-
- 
-
- A flyout screen opens. The following screen shows when you are on a trial subscription.
-
- 
-
- The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
-
- 
-
- The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
-
-3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
-
-4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
-
-> [!NOTE]
-> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
-
-Watch this video for a quick overview of the Microsoft Services Hub.
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
-
-
-
-## Sample investigation topics that you can consult with Microsoft Threat Experts
-
-**Alert information**
-- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
-- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
-- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored?
-- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
-
-**Possible machine compromise**
-- Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
-- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
-
-**Threat intelligence details**
-- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
-- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor?
-
-**Microsoft Threat Experts’ alert communications**
-- Can your incident response team help us address the targeted attack notification that we got?
-- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
-- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
-
- >[!NOTE]
- >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
-
-## Scenario
-
-### Receive a progress report about your managed hunting inquiry
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories:
-- More information is needed to continue with the investigation
-- A file or several file samples are needed to determine the technical context
-- Investigation requires more time
-- Initial information was enough to conclude the investigation
-
-It is crucial to respond in quickly to keep the investigation moving.
-
-## Related topic
-- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
deleted file mode 100644
index bb8199f49c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Configure alert notifications that are sent to MSSPs
-description: Configure alert notifications that are sent to MSSPs
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure alert notifications that are sent to MSSPs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
-
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
deleted file mode 100644
index f6521931c0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Configure managed security service provider support
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure managed security service provider integration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
-
->[!NOTE]
->The following terms are used in this article to distinguish between the service provider and service consumer:
-> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
-> - MSSP customers: Organizations that engage the services of MSSPs.
-
-The integration will allow MSSPs to take the following actions:
-
-- Get access to MSSP customer's Microsoft Defender Security Center portal
-- Get email notifications, and
-- Fetch alerts through security information and event management (SIEM) tools
-
-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.
-
-
-Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
-
-
-In general, the following configuration steps need to be taken:
-
-
-- **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
-
-
-- **Configure alert notifications sent to MSSPs**
-This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
-
-- **Fetch alerts from MSSP customer's tenant into SIEM system**
-This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
-
-- **Fetch alerts from MSSP customer's tenant using APIs**
-This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
-
-## Multi-tenant access for MSSPs
-For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
-
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
deleted file mode 100644
index 712d30276f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ /dev/null
@@ -1,226 +0,0 @@
----
-title: Configure device proxy and Internet connection settings
-description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service.
-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Configure device proxy and Internet connectivity settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
-
-The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.
-
-The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service.
-
->[!TIP]
->For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
-
-The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
-
-- Auto-discovery methods:
- - Transparent proxy
- - Web Proxy Auto-discovery Protocol (WPAD)
-
- > [!NOTE]
- > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-
-- Manual static proxy configuration:
- - Registry based configuration
- - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
-
-## Configure the proxy server manually using a registry-based static proxy
-
-Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet.
-
-The static proxy is configurable through Group Policy (GP). The group policy can be found under:
-
-- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
- 
-- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- - Configure the proxy:
- 
-
- The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-
- The registry value `TelemetryProxyServer` takes the following string format:
-
- ```text
-
| Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
-
-
-If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
-
-> [!NOTE]
-> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
-
-
-> [!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
-
-
-> [!NOTE]
-> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
-
-If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-
-### Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server
-
-The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
-
-|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
-|------|---------|--------|--------|
-|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |
-|*.azure-automation.net |Port 443 |Outbound|Yes |
-
-
-> [!NOTE]
-> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-
-## Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements
-
-Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows.
-
-1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
-
-2. Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal.
-
-3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
-
-4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)).
-
-
-
-The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal.
-
-The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results.
-
-> [!NOTE]
-> In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).
-
-## Verify client connectivity to Microsoft Defender ATP service URLs
-
-Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.
-
-1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on.
-
-2. Extract the contents of MDATPClientAnalyzer.zip on the device.
-
-3. Open an elevated command-line:
-
- a. Go to **Start** and type **cmd**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-4. Enter the following command and press **Enter**:
-
- ```PowerShell
- HardDrivePath\MDATPClientAnalyzer.cmd
- ```
-
- Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
-
- ```PowerShell
- C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
- ```
-
-5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
-
-6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
- The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
-
- ```text
- Testing URL : https://xxx.microsoft.com/xxx
- 1 - Default proxy: Succeeded (200)
- 2 - Proxy auto discovery (WPAD): Succeeded (200)
- 3 - Proxy disabled: Succeeded (200)
- 4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
- ```
-
-If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
-
-However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
-
-> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
-
-
-> [!NOTE]
-> When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy.
-
-## Related topics
-
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
deleted file mode 100644
index 060c2d575a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ /dev/null
@@ -1,284 +0,0 @@
----
-title: Onboard Windows servers to the Microsoft Defender ATP service
-description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor.
-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Onboard Windows servers to the Microsoft Defender for Endpoint service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Windows Server 2008 R2 SP1
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server (SAC) version 1803 and later
-- Windows Server 2019 and later
-- Windows Server 2019 core edition
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-
-
-Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
-
-For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-
-For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
-
-
-
-## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
-
-You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options:
-
-- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)
-- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
-- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later)
-
-
-After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-
-
-> [!NOTE]
-> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
-
-
-### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
-You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
-
-If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
-
-In general, you'll need to take the following steps:
-1. Fulfill the onboarding requirements outlined in **Before you begin** section.
-2. Turn on server monitoring from Microsoft Defender Security center.
-3. Install and configure MMA for the server to report sensor data to Defender for Endpoint.
-4. Configure and update System Center Endpoint Protection clients.
-
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
-
-
-#### Before you begin
-Perform the following steps to fulfill the onboarding requirements:
-
- - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-
- - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-
- - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-
- > [!NOTE]
- > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
-
-
-
-
-### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint
-
-1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
-
-2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
- On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
- - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
-
-> [!NOTE]
-> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
-
-
-
-
-### Configure Windows server proxy and Internet connectivity settings if needed
-If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server:
-
-
-- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)
-
-- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md)
-
-If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.
-
-Once completed, you should see onboarded Windows servers in the portal within an hour.
-
-### Option 2: Onboard Windows servers through Azure Security Center
-1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
-
-3. Click **Onboard Servers in Azure Security Center**.
-
-4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
-
-After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-
-> [!NOTE]
-> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
-> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started.
-> - This is also required if the server is configured to use an OMS Gateway server as proxy.
-
-### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later
-You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
- in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
-
-After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-
-
-
-## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
-You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
-
-- [Local script](configure-endpoints-script.md)
-- [Group Policy](configure-endpoints-gp.md)
-- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
-- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
-
-> [!NOTE]
-> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
-> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
-
-Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
-
-1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
-
-2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
-
- 1. Set the following registry entry:
- - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- - Name: ForceDefenderPassiveMode
- - Type: REG_DWORD
- - Value: 1
-
- 1. Run the following PowerShell command to verify that the passive mode was configured:
-
- ```PowerShell
- Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
- ```
-
- 1. Confirm that a recent event containing the passive mode event is found:
-
- 
-
-3. Run the following command to check if Microsoft Defender AV is installed:
-
- ```sc.exe query Windefend```
-
- If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
- For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
-
-
-
-## Integration with Azure Security Center
-Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
-
-The following capabilities are included in this integration:
-- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
-
- > [!NOTE]
- > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
-
-- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console.
-- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
-
-> [!IMPORTANT]
-> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
-Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.
-> - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
-Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
-
-
-
-## Configure and update System Center Endpoint Protection clients
-
-Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-
-The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
-
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
-
-
-
-## Offboard Windows servers
-You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
-
-For other Windows server versions, you have two options to offboard Windows servers from the service:
-- Uninstall the MMA agent
-- Remove the Defender for Endpoint workspace configuration
-
-> [!NOTE]
-> Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.
-
-### Uninstall Windows servers by uninstalling the MMA agent
-To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint.
-For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
-
-### Remove the Defender for Endpoint workspace configuration
-To offboard the Windows server, you can use either of the following methods:
-
-- Remove the Defender for Endpoint workspace configuration from the MMA agent
-- Run a PowerShell command to remove the configuration
-
-#### Remove the Defender for Endpoint workspace configuration from the MMA agent
-
-1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
-
-2. Select the Defender for Endpoint workspace, and click **Remove**.
-
- 
-
-#### Run a PowerShell command to remove the configuration
-
-1. Get your Workspace ID:
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
-
- 
-
-2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
-
- ```powershell
- $ErrorActionPreference = "SilentlyContinue"
- # Load agent scripting object
- $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
- # Remove OMS Workspace
- $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
- # Reload the configuration and apply changes
- $AgentCfg.ReloadConfiguration()
-
- ```
-
-
-
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
-- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
-- [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md)
-- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
deleted file mode 100644
index 570ac8e0e5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
-description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
-keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Pull detections to your SIEM tools
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-
-## Pull detections using security information and events management (SIEM) tools
-
->[!NOTE]
->- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-Defender for Endpoint supports security information and event management (SIEM) tools to pull detections. Defender for Endpoint exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
-
-Defender for Endpoint currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
-
-- IBM QRadar
-- Micro Focus ArcSight
-
-Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
-
-To use either of these supported SIEM tools, you'll need to:
-
-- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
-- Configure the supported SIEM tool:
- - [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-
-For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md).
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
deleted file mode 100644
index 5c24aa1ae7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Configure vulnerability email notifications in Microsoft Defender for Endpoint
-description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events.
-keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure vulnerability email notifications in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
-
-Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability.
-
-> [!NOTE]
-> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
-
-The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added.
-
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
-Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
-
-The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
-
-## Create rules for alert notifications
-
-Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
-
-1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**.
-
-2. Select **Add notification rule**.
-
-3. Name the email notification rule and include a description.
-
-4. Check **Notification enabled** to activate the notification. Select **Next**
-
-5. Fill in the notification settings. Then select **Next**
-
- - Choose device groups to get notifications for.
- - Choose the vulnerability event(s) that you want to be notified about when they affect your organization.
- - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified.
- - Include organization name if you want the organization name in the email
-
-6. Enter the recipient email address then select **Add**. You can add multiple email addresses.
-
-7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it.
-
-## Edit a notification rule
-
-1. Select the notification rule you'd like to edit.
-
-2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule.
-
-## Delete notification rule
-
-1. Select the notification rule you'd like to delete.
-
-2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule.
-
-## Troubleshoot email notifications for alerts
-
-This section lists various issues that you may encounter when using email notifications for alerts.
-
-**Problem:** Intended recipients report they are not getting the notifications.
-
-**Solution:** Make sure that the notifications are not blocked by email filters:
-
-1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
-2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
-3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
deleted file mode 100644
index 77a5862d83..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Connected applications in Microsoft Defender ATP
-ms.reviewer:
-description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs.
-keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Connected applications in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Connected applications integrates with the Defender for Endpoint platform using APIs.
-
-Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app.
-
-You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application.
-
-## Access the connected application page
-From the left navigation menu, select **Partners & APIs** > **Connected AAD applications**.
-
-
-## View connected application details
-The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days.
-
-
-
-## Edit, reconfigure, or delete a connected application
-The **Open application settings** link opens the corresponding Azure AD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected applications.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md
deleted file mode 100644
index d82a536e7c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Contact Microsoft Defender for Endpoint support for US Government customers
-description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers
-keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ROBOTS: noindex,nofollow
-ms.technology: mde
----
-
-# Contact Microsoft Defender for Endpoint support for US Government customers
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
-
-## Using the right portal
-In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal:
-
-Environment | Portal URL
-:---|:---
-GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)
-GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us)
-GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
-DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
-
-If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true).
-
-## Opening a support case
-For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
deleted file mode 100644
index 4082593706..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Contact Microsoft Defender ATP support
-description: Learn how to contact Microsoft Defender ATP support
-keywords: support, contact, premier support, solutions, problems, case
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Contact Microsoft Defender for Endpoint support
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
-Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
-
-The new widget allows customers to:
-- Find solutions to common problems
-- Submit a support case to the Microsoft support team
-
-## Prerequisites
-It's important to know the specific roles that have permission to open support cases.
-
-At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role.
-
-
-For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case.
-
-For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
-
-
-## Access the widget
-Accessing the new support widget can be done in one of two ways:
-
-1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
-
- 
-
-2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center:
-
-
- 
-
-In the widget you will be offered two options:
-
-- Find solutions to common problems
-- Open a service request
-
-## Find solutions to common problems
-This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
-
-
-
-In case the suggested articles are not sufficient, you can open a service request.
-
-## Open a service request
-
-Learn how to open support tickets by contacting Defender for Endpoint support.
-
-
-
-
-### Contact support
-This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
-
-
-
-1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
-
-2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
-
-3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly.
-
-
-## Related topics
-- [Troubleshoot service issues](troubleshoot-mdatp.md)
-- [Check service health](service-status.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
deleted file mode 100644
index b6ab784185..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-title: Protect important folders from ransomware from encrypting your files with controlled folder access
-description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
-keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-audience: ITPro
-ms.date: 02/03/2021
-ms.reviewer: v-maave
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Protect important folders with controlled folder access
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## What is controlled folder access?
-
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
-
-> [!NOTE]
-> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates).
-
-Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-> [!TIP]
-> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md).
-
-## How does controlled folder access work?
-
-Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
-
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders.
-
-Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
-
-Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
-
-## Why controlled folder access is important
-
-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-
-You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Controlled folder access is supported on the following versions of Windows:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-## Windows system folders are protected by default
-
-Windows system folders are protected by default, along with several other folders:
-
-- `c:\Users\
**Microsoft Defender for Endpoint Event** is required for the alert creation.
-
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
-
You can use an event found in Advanced Hunting API or Portal.
-
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
-
An automatic investigation starts automatically on alerts created via the API.
-
-
-## Limitations
-1. Rate limitations for this API are 15 calls per minute.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alerts.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```
-POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
-## Request body
-
-In the request body, supply the following values (all are required):
-
-Property | Type | Description
-:---|:---|:---
-eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
-reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
-machineId | String | Id of the device on which the event was identified. **Required**.
-severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
-title | String | Title for the alert. **Required**.
-description | String | Description of the alert. **Required**.
-recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
-
-## Response
-
-If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
-```
-
-```json
-{
- "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "severity": "Low",
- "title": "example",
- "description": "example alert",
- "recommendedAction": "nothing",
- "eventTime": "2018-08-03T16:45:21.7115183Z",
- "reportId": "20776",
- "category": "Exploit"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
deleted file mode 100644
index 1f5d1af7b0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Create custom detection rules in Microsoft Defender ATP
-ms.reviewer:
-description: Learn how to create custom detection rules based on advanced hunting queries
-keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/20/2020
-ms.technology: mde
----
-
-# Create custom detection rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-
-> [!NOTE]
-> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## 1. Prepare the query.
-
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
-
->[!IMPORTANT]
->To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
-
-### Required columns in the query results
-
-To use a query for a custom detection rule, the query must return the following columns:
-
-- `Timestamp`
-- `DeviceId`
-- `ReportId`
-
-Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
-
-The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
-
-```kusto
-DeviceEvents
-| where Timestamp > ago(7d)
-| where ActionType == "AntivirusDetection"
-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
-| where count_ > 5
-```
-
-> [!TIP]
-> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
-
-## 2. Create a new rule and provide alert details.
-
-With the query in the query editor, select **Create detection rule** and specify the following alert details:
-
-- **Detection name**—name of the detection rule
-- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title**—title displayed with alerts triggered by the rule
-- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
-- **Description**—more information about the component or activity identified by the rule
-- **Recommended actions**—additional actions that responders might take in response to an alert
-
-For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-
-### Rule frequency
-
-When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-
-- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
-- **Every hour**—runs hourly, checking data from the past 2 hours
-
-> [!TIP]
-> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
-
-Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-
-## 3. Choose the impacted entities.
-
-Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
-
-You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
-
-## 4. Specify actions.
-
-Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-
-### Actions on devices
-
-These actions are applied to devices in the `DeviceId` column of the query results:
-
-- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-- **Restrict app execution**—sets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)
-
-### Actions on files
-
-These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-
-- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-
-### Actions on users
-
-- **Mark user as compromised**—sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
-
-## 5. Set the rule scope.
-
-Set the scope to specify which devices are covered by the rule:
-
-- All devices
-- Specific device groups
-
-Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-
-## 6. Review and turn on the rule.
-
-After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-
-You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-
-## Related topics
-
-- [View and manage custom detection rules](custom-detections-manage.md)
-- [Custom detections overview](overview-custom-detections.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
-- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
deleted file mode 100644
index 8089825d75..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: View and manage custom detection rules in Microsoft Defender ATP
-ms.reviewer:
-description: Learn how to view and manage custom detection rules
-keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-
-# View and manage custom detection rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-
-## Required permissions
-
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## View existing rules
-
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
-
-- **Last run**—when a rule was last run to check for query matches and generate alerts
-- **Last run status**—whether a rule ran successfully
-- **Next run**—the next scheduled run
-- **Status**—whether a rule has been turned on or off
-
-## View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run**—run the rule immediately. This action also resets the interval for the next run.
-- **Edit**—modify the rule without changing the query
-- **Modify query**—edit the query in advanced hunting
-- **Turn on** / **Turn off**—enable the rule or stop it from running
-- **Delete**—turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
-
-## Related topics
-- [Custom detections overview](overview-custom-detections.md)
-- [Create detection rules](custom-detection-rules.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
deleted file mode 100644
index 1da7a9ee99..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Customize attack surface reduction rules
-description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Customize attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
-
-Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
-
-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
-
-## Exclude files and folders
-
-You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
-
-> [!WARNING]
-> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
-
-An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|-|-
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-
-See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
-
-### Use Group Policy to exclude files and folders
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
-> [!WARNING]
-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
-
-### Use PowerShell to exclude files and folders
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
-2. Enter the following cmdlet:
-
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionOnlyExclusions "
-You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs.
-
-**At contract termination or expiration**
-Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
-
-
-## Can Microsoft help us maintain regulatory compliance?
-
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
-
-By providing customers with compliant, independently verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
-
-For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
deleted file mode 100644
index a26df70136..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
-description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used.
-keywords: windows defender compatibility, defender, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- Windows Defender
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
-
-The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.
-
->[!IMPORTANT]
->Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-
-You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-
-If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
-
-Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
-
-The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
-
-For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
deleted file mode 100644
index 6a64647a0c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ /dev/null
@@ -1,364 +0,0 @@
----
-title: Address false positives/negatives in Microsoft Defender for Endpoint
-description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint.
-keywords: alert, exclusion, defender atp, false positive, false negative
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.date: 01/27/2021
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola
-ms.custom: FPFN
----
-
-# Address false positives/negatives in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-
-In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
-
-
-
-Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process:
-
-1. [Review and classify alerts](#part-1-review-and-classify-alerts)
-2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
-3. [Review and define exclusions](#part-3-review-or-define-exclusions)
-4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
-5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
-
-And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.
-
-
-
-> [!NOTE]
-> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
-
-## Part 1: Review and classify alerts
-
-If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
-
-Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
-
-### Determine whether an alert is accurate
-
-Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, choose **Alerts queue**.
-3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
-4. Depending on the alert status, take the steps described in the following table:
-
-| Alert status | What to do |
-|:---|:---|
-| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
-| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
-| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
-
-### Classify an alert
-
-Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. Select **Alerts queue**, and then select an alert.
-3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
-4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
-
-> [!TIP]
-> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
-
-### Suppress an alert
-
-If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, select **Alerts queue**.
-3. Select an alert that you want to suppress to open its **Details** pane.
-4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.
-5. Specify all the settings for your suppression rule, and then choose **Save**.
-
-> [!TIP]
-> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
-
-## Part 2: Review remediation actions
-
-[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus:
-- Quarantine a file
-- Remove a registry key
-- Kill a process
-- Stop a service
-- Disable a driver
-- Remove a scheduled task
-
-Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone.
-
-After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can:
-- [Undo one action at a time](#undo-an-action);
-- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and
-- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices).
-
-When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions).
-
-### Review completed actions
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. Select the **History** tab to view a list of actions that were taken.
-3. Select an item to view more details about the remediation action that was taken.
-
-### Undo an action
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. On the **History** tab, select an action that you want to undo.
-3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
-
-### Undo multiple actions at one time
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. On the **History** tab, select the actions that you want to undo.
-3. In the pane on the right side of the screen, select **Undo**.
-
-### Remove a file from quarantine across multiple devices
-
-
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. On the **History** tab, select a file that has the Action type **Quarantine file**.
-3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
-
-## Part 3: Review or define exclusions
-
-An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
-
-To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
-- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
-- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
-
-> [!NOTE]
-> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint.
-
-The procedures in this section describe how to define exclusions and indicators.
-
-### Exclusions for Microsoft Defender Antivirus
-
-In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
-
-> [!TIP]
-> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
-
-#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies)
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
-3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
-4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
-5. Choose **Review + save**, and then choose **Save**.
-
-#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
-3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
-4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.
-5. Specify a name and description for the profile, and then choose **Next**.
-6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
-7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
-8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
-9. On the **Review + create** tab, review the settings, and then choose **Create**.
-
-### Indicators for Microsoft Defender for Endpoint
-
-[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
-
-To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
-
-"Allow" indicators can be created for:
-
-- [Files](#indicators-for-files)
-- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
-- [Application certificates](#indicators-for-application-certificates)
-
-
-
-#### Indicators for files
-
-When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
-
-Before you create indicators for files, make sure the following requirements are met:
-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
-- Antimalware client version is 4.18.1901.x or later
-- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
-- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)
-
-#### Indicators for IP addresses, URLs, or domains
-
-When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
-
-Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:
-- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
-- Antimalware client version is 4.18.1906.x or later
-- Devices are running Windows 10, version 1709, or later
-
-Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features))
-
-#### Indicators for application certificates
-
-When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
-
-Before you create indicators for application certificates, make sure the following requirements are met:
-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
-- Antimalware client version is 4.18.1901.x or later
-- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
-- Virus and threat protection definitions are up to date
-
-> [!TIP]
-> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
-
-## Part 4: Submit a file for analysis
-
-You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions.
-
-### Submit a file for analysis
-
-If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis.
-
-1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
-2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s).
-
-### Submit a fileless detection for analysis
-
-If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10.
-
-1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\
-Full deployment | Ring 3: Roll out service to the rest of environment in larger increments
-
-
-
-### Exit criteria
-An example set of exit criteria for these rings can include:
-- Devices show up in the device inventory list
-- Alerts appear in dashboard
-- [Run a detection test](run-detection-test.md)
-- [Run a simulated attack on a device](attack-simulations.md)
-
-### Evaluate
-Identify a small number of test machines in your environment to onboard to the service. Ideally, these machines would be fewer than 50 endpoints.
-
-
-### Pilot
-Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring.
-
-The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service.
-
-| Endpoint | Deployment tool |
-|--------------|------------------------------------------|
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.
[Group Policy](configure-endpoints-gp.md)
[Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md) |
-| **macOS** | [Local script](mac-install-manually.md)
[Microsoft Endpoint Manager](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
-
-
-
-### Full deployment
-At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment.
-
-
-Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization.
-
-|**Item**|**Description**|
-|:-----|:-----|
-|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
[Group Policy](configure-endpoints-gp.md)
[Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md) |
-| **macOS** | [Local script](mac-install-manually.md)
[Microsoft Endpoint Manager](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
-
-
-## Step 3: Configure capabilities
-After onboarding endpoints, configure the security capabilities in Defender for Endpoint so that you can maximize the robust security protection available in the suite. Capabilities include:
-
-- Endpoint detection and response
-- Next-generation protection
-- Attack surface reduction
-
-
-
-## Related topics
-- [Deployment phases](deployment-phases.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
deleted file mode 100644
index 77bc0b62f7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Microsoft Defender ATP device timeline event flags
-description: Use Microsoft Defender ATP device timeline event flags to
-keywords: Defender ATP device timeline, event flags
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint device timeline event flags
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks.
-
-The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related.
-
-After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
-
-While navigating the device timeline, you can search and filter for specific events. You can set event flags by:
-
-- Highlighting the most important events
-- Marking events that requires deep dive
-- Building a clean breach timeline
-
-
-
-## Flag an event
-1. Find the event that you want to flag
-2. Click the flag icon in the Flag column.
-
-
-## View flagged events
-1. In the timeline **Filters** section, enable **Flagged events**.
-2. Click **Apply**. Only flagged events are displayed.
-You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf
deleted file mode 100644
index 3b499bf158..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
deleted file mode 100644
index 6e2df9e071..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
deleted file mode 100644
index b5683ec66f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
deleted file mode 100644
index 75f4bba554..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: Endpoint detection and response in block mode
-description: Learn about endpoint detection and response in block mode
-keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: shwetaj
-audience: ITPro
-ms.topic: article
-ms.prod: m365-security
-ms.localizationpriority: medium
-ms.custom:
- - next-gen
- - edr
-ms.date: 01/26/2021
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.technology: mde
----
-
-# Endpoint detection and response (EDR) in block mode
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## What is EDR in block mode?
-
-[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
-
-EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
-
-:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
-
-> [!NOTE]
-> To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
-
-## What happens when something is detected?
-
-When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
-
-The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
-
-:::image type="content" source="images/edr-in-block-mode-detection.png" alt-text="EDR in block mode detected something":::
-
-
-## Enable EDR in block mode
-
-> [!IMPORTANT]
-> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-
-2. Choose **Settings** > **Advanced features**.
-
-3. Turn on **EDR in block mode**.
-
-> [!NOTE]
-> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
-
-## Requirements for EDR in block mode
-
-|Requirement |Details |
-|---------|---------|
-|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
-|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 |
-|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
-|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
-|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
-
-> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
-
-## Frequently asked questions
-
-### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
-
-We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
-
-### Will EDR in block mode have any impact on a user's antivirus protection?
-
-EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected.
-
-### Why do I need to keep Microsoft Defender Antivirus up to date?
-
-Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.
-
-### Why do we need cloud protection on?
-
-Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-
-### How do I set Microsoft Defender Antivirus to passive mode?
-
-See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-
-### How do I confirm Microsoft Defender Antivirus is in active or passive mode?
-
-To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
-
-#### Use PowerShell
-
-1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
-
-2. Type `Get-MpComputerStatus`.
-
-3. In the list of results, in the **AMRunningMode** row, look for one of the following values:
- - `Normal`
- - `Passive Mode`
- - `SxS Passive Mode`
-
-To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus).
-
-#### Use Command Prompt
-
-1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.
-
-2. Type `sc query windefend`.
-
-3. In the list of results, in the **STATE** row, confirm that the service is running.
-
-## See also
-
-- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
-- [Behavioral blocking and containment](behavioral-blocking-containment.md)
-- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
deleted file mode 100644
index c34737f912..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ /dev/null
@@ -1,204 +0,0 @@
----
-title: Enable attack surface reduction rules
-description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Enable attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Each ASR rule contains one of three settings:
-
-- Not configured: Disable the ASR rule
-- Block: Enable the ASR rule
-- Audit: Evaluate how the ASR rule would impact your organization if enabled
-
-To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
-
-> [!TIP]
-> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
-
-You can enable attack surface reduction rules by using any of these methods:
-
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
-
-Enterprise-level management such as Intune or Microsoft Endpoint Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
-
-## Exclude files and folders from ASR rules
-
-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
-
-You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
-
-> [!IMPORTANT]
-> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
-> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-
-You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-
-The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
-
-## Intune
-
-1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
-
-2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-
-3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
-
- `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
-
-4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
-
-## MDM
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-
-The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
-
-`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-
-`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1`
-
-The values to enable, disable, or enable in audit mode are:
-
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
-
-Example:
-
-`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-
-`Value: c:\path|e:\path|c:\Exclusions.exe`
-
-> [!NOTE]
-> Be sure to enter OMA-URI values without spaces.
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Select **Home** > **Create Exploit Guard Policy**.
-
-3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
-
-4. Choose which rules will block or audit actions and select **Next**.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
-
-## Group Policy
-
-> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-
-4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
-
- Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
-
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
-
- 
-
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
-> [!WARNING]
-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
-
-## PowerShell
-
-> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
-
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -AttackSurfaceReductionRules_Ids
-
-4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-
-5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**.
-
- > [!NOTE]
- > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-
-6. Select **OK** to save each open blade and **Create**.
-
-7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
-
-## Mobile Device Management (MDM)
-
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Select **Home** > **Create Exploit Guard Policy**.
-
-3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
-
-4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
- > [!NOTE]
- > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
-
-## Group Policy
-
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-
-4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
- * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
- * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
- * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
-
- 
-
-> [!IMPORTANT]
-> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
-
-## PowerShell
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
-
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -EnableControlledFolderAccess Enabled
- ```
-
-You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
-
-Use `Disabled` to turn off the feature.
-
-## See also
-
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Customize controlled folder access](customize-controlled-folders.md)
-* [Evaluate Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
deleted file mode 100644
index 84b77ed1ea..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ /dev/null
@@ -1,266 +0,0 @@
----
-title: Turn on exploit protection to help mitigate against attacks
-keywords: exploit, mitigation, attacks, vulnerability
-description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware.
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer: ksarens
-manager: dansimp
-ms.technology: mde
----
-
-# Enable exploit protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
-
-> [!IMPORTANT]
-> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
-
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
-
-You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
-
-Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
-
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices.
-
-You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.
-
-## Windows Security app
-
-1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**.
-
-2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**.
-
-3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, select it, and then select **Edit**.
- - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
-
-5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
-
-6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
- - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-
-7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
-
-If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
-
-|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
-|:---|:---|:---|
-| |  | As defined in **Program settings** |
-| |  | As defined in **Program settings** |
-| |  | As defined in **System settings** |
-| |  | Default as defined in **Use default** option |
-
-### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
-
-Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
-The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied.
-
-### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
-
-Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
-
-Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-
-The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
-
-1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
-
-3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, select it, and then select **Edit**.
- - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-
-5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
-
-## Intune
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-
-2. Go to **Device configuration** > **Profiles** > **Create profile**.
-
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-
- 
-
-4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
-
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
-
- 
-
-6. Select **OK** to save each open blade, and then choose **Create**.
-
-7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**.
-
-## MDM
-
-Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
-
-## Microsoft Endpoint Manager
-
-1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**.
-
-2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**.
-
-3. Specify a name and a description, and then choose **Next**.
-
-4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**.
-
-5. Configure **Scope tags** and **Assignments** if necessary.
-
-6. Under **Review + create**, review the configuration and then choose **Create**.
-
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Select **Home** > **Create Exploit Guard Policy**.
-
-3. Specify a name and a description, select **Exploit protection**, and then choose **Next**.
-
-4. Browse to the location of the exploit protection XML file and select **Next**.
-
-5. Review the settings, and then choose **Next** to create the policy.
-
-6. After the policy is created, select **Close**.
-
-## Group Policy
-
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-
-4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**.
-
-## PowerShell
-
-You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
-
-```PowerShell
-Get-ProcessMitigation -Name processName.exe
-```
-
-> [!IMPORTANT]
-> System-level mitigations that have not been configured will show a status of `NOTSET`.
-> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
-> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
-> The default setting for each system-level mitigation can be seen in the Windows Security.
-
-Use `Set` to configure each mitigation in the following format:
-
-```PowerShell
-Set-ProcessMitigation -
-
-
- 
-
-3. Choose the SIEM type you use in your organization.
-
- > [!NOTE]
- > If you select HP ArcSight, you'll need to save these two configuration files:
- > - WDATP-connector.jsonparser.properties
- > - WDATP-connector.properties
-
- If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
-
-4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
-
-5. Select **Generate tokens** to get an access and refresh token.
-
- > [!NOTE]
- > You'll need to generate a new Refresh token every 90 days.
-
-6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
-
-You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
-
-## Integrate Microsoft Defender for Endpoint with IBM QRadar
-You can configure IBM QRadar to collect detections from Microsoft Defender for Endpoint. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-
-## See also
-- [Configure HP ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)
-- [Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
deleted file mode 100644
index 836dcb090d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Evaluate Microsoft Defender for Endpoint
-ms.reviewer:
-description: Evaluate the different security capabilities in Microsoft Defender for Endpoint.
-keywords: attack surface reduction, evaluate, next, generation, protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Evaluate Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-
-You can evaluate Microsoft Defender for Endpoint in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-
-You can also evaluate the different security capabilities in Microsoft Defender for Endpoint by using the following instructions.
-
-## Evaluate attack surface reduction
-
-These capabilities help prevent attacks and exploitations from infecting your organization.
-
-- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](./evaluate-exploit-protection.md)
-- [Evaluate network protection](./evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
-- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
-- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-
-## Evaluate next-generation protection
-
-Next gen protections help detect and block the latest threats.
-
-- [Evaluate antivirus](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
-
-## See Also
-
-[Microsoft Defender for Endpoint overview](microsoft-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
deleted file mode 100644
index e5e1491d2b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Evaluate attack surface reduction rules
-description: See how attack surface reduction would block and prevent attacks with the custom demo tool.
-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Evaluate attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
-
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
-
-> [!TIP]
-> You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-## Use audit mode to measure impact
-
-Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.
-
-To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
-
-```PowerShell
-Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
-```
-
-> [!TIP]
-> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-
-You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
-
-## Review attack surface reduction events in Windows Event Viewer
-
-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
-
-Event ID | Description
--|-
- 5007 | Event when settings are changed
- 1121 | Event when an attack surface reduction rule fires in block mode
- 1122 | Event when an attack surface reduction rule fires in audit mode
-
-## Customize attack surface reduction rules
-
-During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
-
-See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
-
-## See also
-
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
deleted file mode 100644
index e85e2cd887..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Evaluate controlled folder access
-description: See how controlled folder access can help protect files from being changed by malicious apps.
-keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Evaluate controlled folder access
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-
-It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.
-
-This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
-
-> [!TIP]
-> You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-## Use audit mode to measure impact
-
-Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-
-To enable audit mode, use the following PowerShell cmdlet:
-
-```PowerShell
-Set-MpPreference -EnableControlledFolderAccess AuditMode
-```
-
-> [!TIP]
-> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
-
-## Review controlled folder access events in Windows Event Viewer
-
-The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-
-Event ID | Description
--|-
- 5007 | Event when settings are changed
- 1124 | Audited controlled folder access event
- 1123 | Blocked controlled folder access event
-
-> [!TIP]
-> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally.
-
-## Customize protected folders and apps
-
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-
-See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
-
-## See also
-
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Evaluate Microsoft Defender for Endpoint](evaluate-atp.md)
-* [Use audit mode](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
deleted file mode 100644
index 55fb86a8b7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: See how exploit protection works in a demo
-description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
-keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.date: 01/06/2021
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Evaluate exploit protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
-
-This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
-
-> [!TIP]
-> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
-
-## Enable exploit protection in audit mode
-
-You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
-
-### Windows Security app
-
-1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
-
-3. Go to **Program settings** and choose the app you want to apply protection to:
-
- 1. If the app you want to configure is already listed, select it and then select **Edit**
- 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-
-5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
-
-### PowerShell
-
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
-
-Configure each mitigation in the following format:
-
-```PowerShell
-Set-ProcessMitigation -
- > The device will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes.
-
-3. Enter the password that was displayed during the device creation step.
-
- 
-
-4. Run Do-it-yourself attack simulations on the device.
-
-
-### Threat simulator scenarios
-If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
-
-
-Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender for Endpoint capabilities within the confines of a lab environment.
-
->[!NOTE]
->Before you can run simulations, ensure the following requirements are met:
->- Devices must be added to the evaluation lab
->- Threat simulators must be installed in the evaluation lab
-
-1. From the portal select **Create simulation**.
-
-2. Select a threat simulator.
-
- 
-
-3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
-
- You can get to the simulation gallery from:
- - The main evaluation dashboard in the **Simulations overview** tile or
- - By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**.
-
-4. Select the devices where you'd like to run the simulation on.
-
-5. Select **Create simulation**.
-
-6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
-
- 
-
-After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature.
-
-Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
-
-
-## Simulation gallery
-Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-
-View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu.
-
-A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog.
-
-You can conveniently run any available simulation right from the catalog.
-
-
-
-
-Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run.
-
-**Examples:**
-
-
-
-
-
-
-## Evaluation report
-The lab reports summarize the results of the simulations conducted on the devices.
-
-
-
-At a glance, you'll quickly be able to see:
-- Incidents that were triggered
-- Generated alerts
-- Assessments on exposure level
-- Threat categories observed
-- Detection sources
-- Automated investigations
-
-
-## Provide feedback
-Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results.
-
-Let us know what you think, by selecting **Provide feedback**.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
deleted file mode 100644
index cf4a725b95..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ /dev/null
@@ -1,349 +0,0 @@
----
-title: Review events and errors using Event Viewer
-description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender for Endpoint service.
-keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, cannot start, broken, can't start
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 05/21/2018
-ms.technology: mde
----
-
-
-# Review events and errors using Event Viewer
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Event Viewer
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
-
-For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps.
-
-**Open Event Viewer and find the Microsoft Defender for Endpoint service event log:**
-
-1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
-
-2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
- open the log.
-
- a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
-
- > [!NOTE]
- > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.
-
-3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
-
-
-
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
-
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
-- [Troubleshoot Microsoft Defender for Endpoint](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
deleted file mode 100644
index 73f0cf3ba2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ /dev/null
@@ -1,180 +0,0 @@
----
-title: View attack surface reduction events
-description: Import custom views to see attack surface reduction events.
-keywords: event view, exploit guard, audit, review, events
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# View attack surface reduction events
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
-
-Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
-
-This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-
-Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
-
-## Use custom views to review attack surface reduction capabilities
-
-Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
-
-You can also manually navigate to the event area that corresponds to the feature.
-
-### Import an existing XML custom view
-
-1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- - Controlled folder access events custom view: *cfa-events.xml*
- - Exploit protection events custom view: *ep-events.xml*
- - Attack surface reduction events custom view: *asr-events.xml*
- - Network/ protection events custom view: *np-events.xml*
-
-2. Type **event viewer** in the Start menu and open **Event Viewer**.
-
-3. Select **Action** > **Import Custom View...**
-
- 
-
-4. Navigate to where you extracted XML file for the custom view you want and select it.
-
-5. Select **Open**.
-
-6. It will create a custom view that filters to only show the events related to that feature.
-
-### Copy the XML directly
-
-1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-
-2. On the left panel, under **Actions**, select **Create Custom View...**
-
- 
-
-3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
-
-4. Paste the XML code for the feature you want to filter events from into the XML section.
-
-5. Select **OK**. Specify a name for your filter.
-
-6. It will create a custom view that filters to only show the events related to that feature.
-
-### XML for attack surface reduction rule events
-
-```xml
-
-
-Event ID
-Message
-Description
-Action
-
-
-1
-Microsoft Defender for Endpoint service started (Version
-variable).Occurs during system start up, shut down, and during onbboarding.
-Normal operating notification; no action required.
-
-
-2
-Microsoft Defender for Endpoint service shutdown.
-Occurs when the device is shut down or offboarded.
-Normal operating notification; no action required.
-
-
-3
-Microsoft Defender for Endpoint service failed to start. Failure code:
-variable.Service did not start.
-Review other messages to determine possible cause and troubleshooting steps.
-
-
-4
-Microsoft Defender for Endpoint service contacted the server at
-variable.Variable = URL of the Defender for Endpoint processing servers.
-
-This URL will match that seen in the Firewall or network activity.Normal operating notification; no action required.
-
-
-5
-Microsoft Defender for Endpoint service failed to connect to the server at
-variable.Variable = URL of the Defender for Endpoint processing servers.
-
-The service could not contact the external processing servers at that URL.Check the connection to the URL. See Configure proxy and Internet connectivity.
-
-
-6
-Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found.
-The device did not onboard correctly and will not be reporting to the portal.
-Onboarding must be run before starting the service.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-7
-Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure:
-variable.Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-8
-Microsoft Defender for Endpoint service failed to clean its configuration. Failure code:
-variable.During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues.
-
During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
- Onboarding: No action required.
-
Offboarding: Reboot the system.
-See Onboard Windows 10 devices.
-
-9
-Microsoft Defender for Endpoint service failed to change its start type. Failure code:
-variable.During onboarding: The device did not onboard correctly and will not be reporting to the portal.
-
During offboarding: Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-10
-Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code:
-variable.The device did not onboard correctly and will not be reporting to the portal.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-11
-Onboarding or re-onboarding of Defender for Endpoint service completed.
-The device onboarded correctly.
-Normal operating notification; no action required.
-
-It may take several hours for the device to appear in the portal.
-
-12
-Microsoft Defender for Endpoint failed to apply the default configuration.
-Service was unable to apply the default configuration.
-This error should resolve after a short period of time.
-
-
-13
-Microsoft Defender for Endpoint device ID calculated:
-variable.Normal operating process.
-Normal operating notification; no action required.
-
-
-15
-Microsoft Defender for Endpoint cannot start command channel with URL:
-variable.Variable = URL of the Defender for Endpoint processing servers.
-
-The service could not contact the external processing servers at that URL.Check the connection to the URL. See Configure proxy and Internet connectivity.
-
-
-17
-Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-18
-OOBE (Windows Welcome) is completed.
-Service will only start after any Windows updates have finished installing.
-Normal operating notification; no action required.
-
-
-19
-OOBE (Windows Welcome) has not yet completed.
-Service will only start after any Windows updates have finished installing.
-Normal operating notification; no action required.
-
-If this error persists after a system restart, ensure all Windows updates have full installed.
-
-20
-Cannot wait for OOBE (Windows Welcome) to complete. Failure code:
-variable.Internal error.
-If this error persists after a system restart, ensure all Windows updates have full installed.
-
-
-25
-Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code:
-variable.The device did not onboard correctly.
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-26
-Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code:
-variable.The device did not onboard correctly.
-
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-27
-Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code:
-variable.Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-Ensure real-time antimalware protection is running properly.
-
-28
-Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-29
-Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3
-This event occurs when the system can't read the offboarding parameters.
-Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired.
-
-
-30
-Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code:
-variable.Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices
-Ensure real-time antimalware protection is running properly.
-
-31
-Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code:
-variable.An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-Check for errors with the Windows telemetry service.
-
-
-32
-Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1
-An error occurred during offboarding.
-Reboot the device.
-
-
-33
-Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code:
-variable.A unique identifier is used to represent each device that is reporting to the portal.
-
-If the identifier does not persist, the same device might appear twice in the portal.Check registry permissions on the device to ensure the service can update the registry.
-
-
-34
-Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-35
-Microsoft Defender for Endpoint service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code:
-variable.An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
-
-Check for errors with the Windows diagnostic data service.
-
-
-36
-Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration succeeded. Completion code:
-variable.Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully.
-Normal operating notification; no action required.
-
-
-37
-Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.
-The device has almost used its allocated quota of the current 24-hour window. It’s about to be throttled.
-Normal operating notification; no action required.
-
-
-38
-Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.
-The device is using a metered/paid network and will be contacting the server less frequently.
-Normal operating notification; no action required.
-
-
-39
-Network connection is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.
-The device is not using a metered/paid connection and will contact the server as usual.
-Normal operating notification; no action required.
-
-
-40
-Battery state is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.
-The device has low battery level and will contact the server less frequently.
-Normal operating notification; no action required.
-
-
-41
-Battery state is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.
-The device doesn’t have low battery level and will contact the server as usual.
-Normal operating notification; no action required.
-
-
-42
-Microsoft Defender for Endpoint WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4
-Internal error. The service failed to start.
-If this error persists, contact Support.
-
-
-43
-Microsoft Defender for Endpoint WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5
-Internal error. The service failed to start.
-If this error persists, contact Support.
-
-
-44
-Offboarding of Defender for Endpoint service completed.
-The service was offboarded.
-Normal operating notification; no action required.
-
-
-45
-Failed to register and to start the event trace session [%1]. Error code: %2
-An error occurred on service startup while creating ETW session. This caused service start-up failure.
-If this error persists, contact Support.
-
-
-46
-Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.
-An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.
-Normal operating notification; no action required. The service will try to start the session every minute.
-
-
-47
-Successfully registered and started the event trace session - recovered after previous failed attempts.
-This event follows the previous event after successfully starting of the ETW session.
-Normal operating notification; no action required.
-
-
-
-
-48
-Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.
-Failed to add a provider to ETW session. As a result, the provider events aren’t reported.
-Check the error code. If the error persists contact Support.
-
As "Memory Protection Check" |
-|Block remote images | yes | yes
As "Load Library Check" |
-|Block untrusted fonts | yes | yes |
-|Data Execution Prevention (DEP) | yes | yes |
-|Export address filtering (EAF) | yes | yes |
-|Force randomization for images (Mandatory ASLR) | yes | yes |
-|NullPage Security Mitigation | yes
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
-|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
-|Simulate execution (SimExec) | yes | yes |
-|Validate API invocation (CallerCheck) | yes | yes |
-|Validate exception chains (SEHOP) | yes | yes |
-|Validate stack integrity (StackPivot) | yes | yes |
-|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
-|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
-|Block low integrity images | yes | no |
-|Code integrity guard | yes | no |
-|Disable extension points | yes | no |
-|Disable Win32k system calls | yes | no |
-|Do not allow child processes | yes | no |
-|Import address filtering (IAF) | yes | no |
-|Validate handle usage | yes | no |
-|Validate heap integrity | yes | no |
-|Validate image dependency integrity | yes | no |
-
-> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-## See also
-
-- [Protect devices from exploits](exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
deleted file mode 100644
index 9994672041..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-title: Use Microsoft Defender for Endpoint APIs
-ms.reviewer:
-description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user.
-keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Use Microsoft Defender for Endpoint APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-This page describes how to create an application to get programmatic access to Defender for Endpoint on behalf of a user.
-
-If you need programmatic access Microsoft Defender for Endpoint without a user, refer to [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md).
-
-If you are not sure which access you need, read the [Introduction page](apis-intro.md).
-
-Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-
-In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Defender for Endpoint API
-
-This page explains how to create an AAD application, get an access token to Microsoft Defender for Endpoint and validate the token.
-
->[!NOTE]
-> When accessing Microsoft Defender for Endpoint API on behalf of a user, you will need the correct Application permission and user permission.
-> If you are not familiar with user permissions on Microsoft Defender for Endpoint, see [Manage portal access using role-based access control](rbac.md).
-
->[!TIP]
-> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
-
-## Create an app
-
-1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.
-
-2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-
- 
-
-3. When the **Register an application** page appears, enter your application's registration information:
-
- - **Name** - Enter a meaningful application name that will be displayed to users of the app.
- - **Supported account types** - Select which accounts you would like your application to support.
-
- | Supported account types | Description |
- |-------------------------|-------------|
- | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.
This option maps to Azure AD only single-tenant.
This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. |
- | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.
This option maps to an Azure AD only multi-tenant.
If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. |
- | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.
This option maps to Azure AD multi-tenant and personal Microsoft accounts.
If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. |
-
- - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.
- - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
- - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`.
-
- To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).
-
- When finished, select **Register**.
-
-4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission:
-
- - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.
-
- - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.
-
- 
-
- - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions**
-
- 
-
- - **Important note**: Select the relevant permissions. Read alerts is only an example.
-
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a device](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, view the **Permissions** section in the API you are interested to call.
-
- - Select **Grant consent**
-
- **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
-
- 
-
-6. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following information:
-
- 
-
-
-## Get an access token
-
-For more information on AAD tokens, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
-
-### Using C#
-
-- Copy/Paste the below class in your application.
-- Use **AcquireUserTokenAsync** method with your application ID, tenant ID, user name, and password to acquire a token.
-
- ```csharp
- namespace WindowsDefenderATP
- {
- using System.Net.Http;
- using System.Text;
- using System.Threading.Tasks;
- using Newtonsoft.Json.Linq;
-
- public static class WindowsDefenderATPUtils
- {
- private const string Authority = "https://login.microsoftonline.com";
-
- private const string WdatpResourceId = "https://api.securitycenter.microsoft.com";
-
- public static async Task
For more information on AAD token, see [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
-
-### Using PowerShell
-
-```
-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
-# Paste below your Tenant ID, App ID and App Secret (App key).
-
-$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your Application ID here
-$appSecret = '' ### Paste your Application key here
-
-$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
-$authBody = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
-$token = $authResponse.access_token
-Out-File -FilePath "./Latest-token.txt" -InputObject $token
-return $token
-```
-
-### Using C#:
-
->The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
-
-- Create a new Console Application
-- Install NuGet [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
-
- ```
- using Microsoft.IdentityModel.Clients.ActiveDirectory;
- ```
-
-- Copy/Paste the below code in your application (do not forget to update the three variables: ```tenantId, appId, appSecret```)
-
- ```
- string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
- string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
- string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!
-
- const string authority = "https://login.microsoftonline.com";
- const string wdatpResourceId = "https://api.securitycenter.microsoft.com";
-
- AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
- ClientCredential clientCredential = new ClientCredential(appId, appSecret);
- AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
- string token = authenticationResult.AccessToken;
- ```
-
-
-### Using Python
-
-Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
-
-### Using Curl
-
-> [!NOTE]
-> The below procedure supposed Curl for Windows is already installed on your computer
-
-- Open a command window
-- Set CLIENT_ID to your Azure application ID
-- Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender for Endpoint application
-- Run the below command:
-
-```
-curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
-```
-
-You will get an answer of the form:
-
-```
-{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn
```startswith``` query is supported.
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request URI parameters
-
-Name | Type | Description
-:---|:---|:---
-tag | String | The tag name. **Required**.
-useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK with list of the machines in the response body.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true
-```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
deleted file mode 100644
index 2ab8c7db1b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Fix unhealthy sensors in Microsoft Defender for Endpoint
-description: Fix device sensors that are reporting as misconfigured or inactive so that the service receives data from the device.
-keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/06/2020
-ms.technology: mde
----
-
-# Fix unhealthy sensors in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
-
-Devices that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured.
-
-## Inactive devices
-
-An inactive device is not necessarily flagged due to an issue. The following actions taken on a device can cause a device to be categorized as inactive:
-
-### Device is not in use
-
-If the device has not been in use for more than seven days for any reason, it will remain in an ‘Inactive’ status in the portal.
-
-### Device was reinstalled or renamed
-A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
-
-### Device was offboarded
-If the device was offboarded, it will still appear in devices list. After seven days, the device health state should change to inactive.
-
-### Device is not sending signals
-If the device is not sending any signals for more than seven days to any of the Microsoft Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive.
-
-Do you expect a device to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
-
-## Misconfigured devices
-Misconfigured devices can further be classified to:
-- Impaired communications
-- No sensor data
-
-### Impaired communications
-This status indicates that there's limited communication between the device and the service.
-
-The following suggested actions can help fix issues related to a misconfigured device with impaired communications:
-
-- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
-
-- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
-
-If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
-
-### No sensor data
-A misconfigured device with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
-Follow theses actions to correct known issues related to a misconfigured device with status ‘No sensor data’:
-
-- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
-
-- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
-
-- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
-If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
-
-- [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
-If your devices are running a third-party antimalware client, the Defender for Endpoint agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
-
-If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
-
-## See also
-- [Check sensor health state in Microsoft Defender for Endpoint](check-sensor-status.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
deleted file mode 100644
index 5177928062..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Get alert information by ID API
-description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, alert, information, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert information by ID API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves specific [Alert](alerts.md) by its ID.
-
-
-## Limitations
-1. You can get alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
deleted file mode 100644
index c84308bef0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Get alert related domains information
-description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get alert information, alert information, related domain
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert related domain information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves all domains related to a specific alert.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | URL.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts/{id}/domains
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains",
- "value": [
- {
- "host": "www.example.com"
- },
- {
- "host": "www.example2.com"
- }
- ...
- ]
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
deleted file mode 100644
index 015b98dba0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Get alert related files information
-description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
-keywords: apis, graph api, supported apis, get alert information, alert information, related files
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert related files information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves all files related to a specific alert.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | File.Read.All | 'Read file profiles'
-Delegated (work or school account) | File.Read.All | 'Read file profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts/{id}/files
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-Empty
-
-## Response
-If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files",
- "value": [
- {
- "sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",
- "sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",
- "md5": "8d5b7cc9a832e21d22503057e1fec8e9",
- "globalPrevalence": 29,
- "globalFirstObserved": "2019-03-23T23:54:06.0135204Z",
- "globalLastObserved": "2019-04-23T00:43:20.0489831Z",
- "size": 113984,
- "fileType": null,
- "isPeFile": true,
- "filePublisher": "Microsoft Corporation",
- "fileProductName": "Microsoft� Windows� Operating System",
- "signer": "Microsoft Corporation",
- "issuer": "Microsoft Code Signing PCA",
- "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
- "isValidCertificate": true,
- "determinationType": "Unknown",
- "determinationValue": null
- }
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
deleted file mode 100644
index 602a1fd1c4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Get alert related IPs information
-description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
-keywords: apis, graph api, supported apis, get alert information, alert information, related ip
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert related IPs information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves all IPs related to a specific alert.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts/{id}/ips
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",
- "value": [
- {
- "id": "104.80.104.128"
- },
- {
- "id": "23.203.232.228
- }
- ...
- ]
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
deleted file mode 100644
index 4a56186c19..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: Get alert related machine information
-description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
-keywords: apis, graph api, supported apis, get alert information, alert information, related device
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert related machine information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves [Device](machine.md) related to a specific alert.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine information'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-GET /api/alerts/{id}/machine
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and alert and device exist - 200 OK. If alert not found or device not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
- "osPlatform": "Windows10",
- "osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
- "healthStatus": "Active",
- "deviceValue": "Normal",
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
deleted file mode 100644
index 2afbe73739..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Get alert related user information
-description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, alert, information, related, user
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get alert related user information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves the User related to a specific alert.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | User.Read.All | 'Read user profiles'
-Delegated (work or school account) | User.Read.All | 'Read user profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts/{id}/user
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
- "id": "contoso\\user1",
- "accountName": "user1",
- "accountDomain": "contoso",
- "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
- "firstSeen": "2019-12-08T06:33:39Z",
- "lastSeen": "2020-01-05T06:58:34Z",
- "mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
- "leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
- "logonTypes": "Network",
- "logOnMachinesCount": 1,
- "isDomainAdmin": false,
- "isOnlyNetworkUser": false
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
deleted file mode 100644
index 47af279049..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ /dev/null
@@ -1,311 +0,0 @@
----
-title: List alerts API
-description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of Alerts.
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
OData supported operators:
-
```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
-
```$top``` with max value of 10,000
-
```$skip```
-
```$expand``` of ```evidence```
-
See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. You can get alerts last updated according to your configured retention period.
-2. Maximum page size is 10,000.
-3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The response will include only alerts that are associated with devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
-
-
-## Example 1 - Default
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
- "value": [
- {
- "id": "da637308392288907382_-880718168",
- "incidentId": 7587,
- "investigationId": 723156,
- "assignedTo": "secop123@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "investigationState": "Queued",
- "detectionSource": "WindowsDefenderAv",
- "category": "SuspiciousActivity",
- "threatFamilyName": "Meterpreter",
- "title": "Suspicious 'Meterpreter' behavior was detected",
- "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
- "firstEventTime": "2020-07-20T10:52:17.6654369Z",
- "lastEventTime": "2020-07-20T10:52:18.1362905Z",
- "lastUpdateTime": "2020-07-20T10:53:50.19Z",
- "resolvedTime": null,
- "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
- "computerDnsName": "temp123.middleeast.corp.microsoft.com",
- "rbacGroupName": "MiddleEast",
- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
- "threatName": null,
- "mitreTechniques": [
- "T1064",
- "T1085",
- "T1220"
- ],
- "relatedUser": {
- "userName": "temp123",
- "domainName": "MIDDLEEAST"
- },
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop123@contoso.com",
- "createdTime": "2020-07-21T01:00:37.8404534Z"
- }
- ],
- "evidence": []
- }
- ...
- ]
-}
-```
-
-## Example 2 - Get 10 latest Alerts with related Evidence
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
-```
-
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
- "value": [
- {
- "id": "da637472900382838869_1364969609",
- "incidentId": 1126093,
- "investigationId": null,
- "assignedTo": null,
- "severity": "Low",
- "status": "New",
- "classification": null,
- "determination": null,
- "investigationState": "Queued",
- "detectionSource": "WindowsDefenderAtp",
- "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
- "category": "Execution",
- "threatFamilyName": null,
- "title": "Low-reputation arbitrary code executed by signed executable",
- "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
- "firstEventTime": "2021-01-26T20:31:32.9562661Z",
- "lastEventTime": "2021-01-26T20:31:33.0577322Z",
- "lastUpdateTime": "2021-01-26T20:33:59.2Z",
- "resolvedTime": null,
- "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
- "computerDnsName": "temp123.middleeast.corp.microsoft.com",
- "rbacGroupName": "A",
- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
- "threatName": null,
- "mitreTechniques": [
- "T1064",
- "T1085",
- "T1220"
- ],
- "relatedUser": {
- "userName": "temp123",
- "domainName": "MIDDLEEAST"
- },
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop123@contoso.com",
- "createdTime": "2021-01-26T01:00:37.8404534Z"
- }
- ],
- "evidence": [
- {
- "entityType": "User",
- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
- "sha1": null,
- "sha256": null,
- "fileName": null,
- "filePath": null,
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "parentProcessFileName": null,
- "parentProcessFilePath": null,
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": "eranb",
- "domainName": "MIDDLEEAST",
- "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
- "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
- "userPrincipalName": "temp123@microsoft.com",
- "detectionStatus": null
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
- "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
- "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
- "fileName": "rundll32.exe",
- "filePath": "C:\\Windows\\SysWOW64",
- "processId": 3276,
- "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
- "processCreationTime": "2021-01-26T20:31:32.9581596Z",
- "parentProcessId": 8420,
- "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
- "parentProcessFileName": "rundll32.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "File",
- "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
- "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
- "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
- "fileName": "suspicious.dll",
- "filePath": "c:\\temp",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "parentProcessFileName": null,
- "parentProcessFilePath": null,
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- }
- ]
- },
- ...
- ]
-}
-```
-
-
-## See also
-- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
deleted file mode 100644
index 6548493ea9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List all recommendations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## See also
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
deleted file mode 100644
index 0126da149d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: Get all vulnerabilities by machine and software
-description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List vulnerabilities by machine and software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
-- If the vulnerability has a fixing KB, it will appear in the response.
-- Supports [OData V4 queries](https://www.odata.org/documentation/).
-- The OData ```$filter``` is supported on all properties.
-
->[!Tip]
->This is great API for [Power BI integration](api-power-bi.md).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/machinesVulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
- "value": [
- {
- "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
- "cveId": "CVE-2020-6494",
- "machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
- "fixingKbId": null,
- "productName": "edge_chromium-based",
- "productVendor": "microsoft",
- "productVersion": "81.0.416.77",
- "severity": "Low"
- },
- {
- "id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
- "cveId": "CVE-2016-3348",
- "machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
- "fixingKbId": "3185911",
- "productName": "windows_server_2012_r2",
- "productVendor": "microsoft",
- "productVersion": "6.3.9600.19728",
- "severity": "Low"
- },
- ...
- ]
-
-}
-```
-
-## See also
-
-- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
deleted file mode 100644
index 00ade14700..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List vulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## See also
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
deleted file mode 100644
index 3264cc7d76..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Get CVE-KB map API
-description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, cve, kb
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: mde
----
-
-# Get CVE-KB map API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Retrieves a map of CVE's to KB's and CVE details.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/cvekbmap
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful and map exists - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://graph.microsoft.com/testwdatppreview/CveKbMap
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
- "@odata.count": 4168,
- "value": [
- {
- "cveKbId": "CVE-2015-2482-3097617",
- "cveId": "CVE-2015-2482",
- "kbId":"3097617",
- "title": "Cumulative Security Update for Internet Explorer",
- "severity": "Critical"
- },
- …
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
deleted file mode 100644
index 2edded89ae..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Get device secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get device secure score
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the device secure score data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/configurationScore
-```
-
-### Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## See also
-
-- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
deleted file mode 100644
index 760ce4ddb9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get discovered vulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-## API description
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Limitations
-1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-### Response
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## See also
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
deleted file mode 100644
index 12f8042a7e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get domain related alerts API
-description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, domain, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get domain related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/domains/{domain}/alerts
-```
-
-## Request headers
-
-| Header | Value |
-|:--------------|:-------|
-| Authorization | String |
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/domains/client.wns.windows.com/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
deleted file mode 100644
index 87af94f174..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Get domain related machines API
-description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, domain, related, devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get domain related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
-
-
-## Limitations
-1. You can query on devices last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/domains/{domain}/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/domains/api.securitycenter.microsoft.com/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
deleted file mode 100644
index 13a3f3f28f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: Get domain statistics API
-description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, domain, domain related devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get domain statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves the statistics on the given domain.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | URL.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/domains/{domain}/stats
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-
-## Request URI parameters
-
-Name | Type | Description
-:---|:---|:---
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
- "host": "example.com",
- "orgPrevalence": "4070",
- "orgFirstSeen": "2017-07-30T13:23:48Z",
- "orgLastSeen": "2017-08-29T13:09:05Z"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
deleted file mode 100644
index 0288816bb4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get exposure score
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/exposureScore
-```
-
-### Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## See also
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
deleted file mode 100644
index 37b4c39da7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Get file information API
-description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get file information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a [File](files.md) by identifier Sha1, or Sha256
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | File.Read.All | 'Read all file profiles'
-Delegated (work or school account) | File.Read.All | 'Read all file profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
- "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
- "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
- "globalPrevalence": 180022,
- "globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
- "globalLastObserved": "2020-01-06T03:59:21.3229314Z",
- "size": 22139496,
- "fileType": "APP",
- "isPeFile": true,
- "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
- "fileProductName": "EaseUS MobiSaver for Android",
- "signer": "CHENGDU YIWO Tech Development Co., Ltd.",
- "issuer": "VeriSign Class 3 Code Signing 2010 CA",
- "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
- "isValidCertificate": false,
- "determinationType": "Pua",
- "determinationValue": "PUA:Win32/FusionCore"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
deleted file mode 100644
index 1ef694df96..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get file related alerts API
-description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, file, hash
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get file related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of alerts related to a given file hash.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
deleted file mode 100644
index c0de4442c2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get file related machines API
-description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, devices, hash
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get file related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) related to a given file hash.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
deleted file mode 100644
index ab8b12267d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Get file statistics API
-description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender for Endpoint.
-keywords: apis, graph api, supported apis, get, file, statistics
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get file statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves the statistics for the given file.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | File.Read.All | 'Read file profiles'
-Delegated (work or school account) | File.Read.All | 'Read file profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/stats
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request URI parameters
-
-Name | Type | Description
-:---|:---|:---
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
- "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
- "orgPrevalence": "14850",
- "orgFirstSeen": "2019-12-07T13:44:16Z",
- "orgLastSeen": "2020-01-06T13:39:36Z",
- "globalPrevalence": "705012",
- "globalFirstObserved": "2015-03-19T12:20:07.3432441Z",
- "globalLastObserved": "2020-01-06T13:39:36Z",
- "topFileNames": [
- "MREC.exe"
- ]
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
deleted file mode 100644
index 9effa5d7a6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get installed software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## See also
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
deleted file mode 100644
index cca2597b98..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: List Investigations API
-description: Use this API to create calls related to get Investigations collection
-keywords: apis, graph api, supported apis, Investigations collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List Investigations API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Investigations](investigation.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties.
-
See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Maximum page size is 10,000.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/investigations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
-
-
-## Example
-
-**Request**
-
-Here is an example of a request to get all investigations:
-
-```
-GET https://api.securitycenter.microsoft.com/api/investigations
-```
-
-**Response**
-
-Here is an example of the response:
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations",
- "value": [
- {
- "id": "63017",
- "startTime": "2020-01-06T14:11:34Z",
- "endTime": null,
- "state": "Running",
- "cancelledBy": null,
- "statusDetails": null,
- "machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
- "computerDnsName": "desktop-gtrcon0",
- "triggeringAlertId": "da637139166940871892_-598649278"
- }
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
deleted file mode 100644
index 74f3ac1b33..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Get Investigation object API
-description: Use this API to create calls related to get Investigation object
-keywords: apis, graph api, supported apis, Investigation object
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get Investigation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves specific [Investigation](investigation.md) by its ID.
-
ID can be the investigation ID or the investigation triggering alert ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/investigations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
deleted file mode 100644
index d4f66c71d6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get IP related alerts API
-description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, ip, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get IP related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of alerts related to a given IP address.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
deleted file mode 100644
index bc04301ab1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Get IP statistics API
-description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get IP statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves the statistics for the given IP.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
-
->[!NOTE]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-
-```http
-GET /api/ips/{ip}/stats
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request URI parameters
-
-Name | Type | Description
-:---|:---|:---
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
-
-## Request body
-Empty
-
-## Response
-If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
- "ipAddress": "10.209.67.177",
- "orgPrevalence": "63515",
- "orgFirstSeen": "2017-07-30T13:36:06Z",
- "orgLastSeen": "2017-08-29T13:32:59Z"
-}
-```
-
-
-| Name | Description |
-| :--- | :---------- |
-| Org prevalence | the distinct count of devices that opened network connection to this IP. |
-| Org first seen | the first connection for this IP in the organization. |
-| Org last seen | the last connection for this IP in the organization. |
-
-> [!NOTE]
-> This statistic information is based on data from the past 30 days.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
deleted file mode 100644
index 0eeced010e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Get KB collection API
-description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, kb
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: mde
----
-
-# Get KB collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Retrieves a collection of KB's and KB details.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/kbinfo
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://graph.microsoft.com/testwdatppreview/KbInfo
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
- "@odata.count": 271,
- "value":[
- {
- "id": "KB3097617 (10240.16549) Amd64",
- "release": "KB3097617 (10240.16549)",
- "publishingDate": "2015-10-16T21:00:00Z",
- "version": "10.0.10240.16549",
- "architecture": "Amd64"
- },
- …
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
deleted file mode 100644
index 76dc993182..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Get machine by ID API
-description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, devices, entity, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get machine by ID API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves specific [Machine](machine.md) by its device ID or computer name.
-
-
-## Limitations
-1. You can get devices last seen according to your configured retention policy.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-
-## HTTP request
-```http
-GET /api/machines/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified ID was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
- "osPlatform": "Windows10",
- "osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
- "healthStatus": "Active",
- "deviceValue": "Normal",
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
deleted file mode 100644
index 6f54986e33..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: List exposure score by device group
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List exposure score by device group
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of alerts related to a given domain address.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/exposureScore/ByMachineGroups
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
-```
-
-### Response
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
- "value": [
- {
- "time": "2019-12-03T09:51:28.214338Z",
- "score": 41.38041766305988,
- "rbacGroupName": "GroupOne"
- },
- {
- "time": "2019-12-03T09:51:28.2143399Z",
- "score": 37.403726933165366,
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
deleted file mode 100644
index 3e9b901fac..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: Get machine logon users API
-description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, device, log on, users
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get machine logon users API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of logged on users on a specific device.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | User.Read.All | 'Read user profiles'
-Delegated (work or school account) | User.Read.All | 'Read user profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) )
->- Response will include users only if the device is visible to the user, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
-
-## HTTP request
-```http
-GET /api/machines/{id}/logonusers
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exists - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
- "value": [
- {
- "id": "contoso\\user1",
- "accountName": "user1",
- "accountDomain": "contoso",
- "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
- "firstSeen": "2019-12-18T08:02:54Z",
- "lastSeen": "2020-01-06T08:01:48Z",
- "logonTypes": "Interactive",
- "logOnMachinesCount": 8,
- "isDomainAdmin": true,
- "isOnlyNetworkUser": false
- },
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
deleted file mode 100644
index cf6f953a00..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Get machine related alerts API
-description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, devices, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get machine related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves all [Alerts](alerts.md) related to a specific device.
-
-
-## Limitations
-1. You can query on devices last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/machines/{id}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exists - 200 OK with list of [alert](alerts.md) entities in the body. If device was not found - 404 Not Found.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
deleted file mode 100644
index 9520bd1379..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Get MachineAction object API
-description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, machineaction object
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get machineAction API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves specific [Machine Action](machineaction.md) by its ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/machineactions/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a [Machine Action](machineaction.md) entity. If machine action entity with the specified id was not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
- "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
- "type": "Isolate",
- "scope": "Selective",
- "requestor": "Analyst@TestPrd.onmicrosoft.com",
- "requestorComment": "test for docs",
- "status": "Succeeded",
- "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
- "computerDnsName": "desktop-test",
- "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
- "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
- "relatedFileInfo": null
-}
-
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
deleted file mode 100644
index d910d3beda..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-title: List machineActions API
-description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, machineaction collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List MachineActions API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Machine Actions](machineaction.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
-
See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Maximum page size is 10,000.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/machineactions
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction.md) entities.
-
-
-## Example 1
-
-**Request**
-
-Here is an example of the request on an organization that has three MachineActions.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machineactions
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
- "value": [
- {
- "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
- "type": "CollectInvestigationPackage",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
- "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
- },
- {
- "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
- "type": "RunAntiVirusScan",
- "scope": "Full",
- "requestor": "Analyst@contoso.com",
- "requestorComment": "Check machine for viruses due to alert 3212",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
- "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
- },
- {
- "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
- "type": "StopAndQuarantineFile",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
- "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
- "relatedFileInfo": {
- "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
- "fileIdentifierType": "Sha1"
- }
- }
- ]
-}
-```
-
-## Example 2
-
-**Request**
-
-Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
-
-```
-GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
- "value": [
- {
- "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
- "type": "CollectInvestigationPackage",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
- "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
- },
- {
- "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
- "type": "RunAntiVirusScan",
- "scope": "Full",
- "requestor": "Analyst@contoso.com",
- "requestorComment": "Check machine for viruses due to alert 3212",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
- "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
- }
- ]
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
deleted file mode 100644
index b2f9da0734..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List devices by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
deleted file mode 100644
index bf4208cd36..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List devices by vulnerability
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
deleted file mode 100644
index 44e815ff37..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: List machines API
-description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
-keywords: apis, graph api, supported apis, get, devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
-
-Supports [OData V4 queries](https://www.odata.org/documentation/).
-
-The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
-See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
-
-
-## Limitations
-1. You can get devices last seen according to your configured retention period.
-2. Maximum page size is 10,000.
-3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
->- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
-
-## HTTP request
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and machines exists - 200 OK with list of [machine](machine.md) entities in the body. If no recent machines - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
- "value": [
- {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
- "osPlatform": "Windows10",
- "osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
- "healthStatus": "Active",
- "deviceValue": "Normal",
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
- },
- ...
- ]
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
deleted file mode 100644
index 9d1e0ef235..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Get machines security states collection API
-description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, device, security, state
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get Machines security states collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Retrieves a collection of devices security states.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/machinesecuritystates
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
-```
-
-**Response**
-
-Here is an example of the response.
-Field *id* contains device id and equal to the field *id** in devices info.
-
-```json
-{
- "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
- "@odata.count":444,
- "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]",
- "value":[
- {
- "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4",
- "build":14393,
- "revision":2485,
- "architecture":"Amd64",
- "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809",
- "propertiesRequireAttention":[
- "AntivirusNotReporting",
- "EdrImpairedCommunications"
- ]
- },
- …
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
deleted file mode 100644
index d3c13ddae1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Get missing KBs by device ID
-description: Retrieves missing security updates by device ID
-keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get missing KBs by device ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-## API description
-Retrieves missing KBs (security updates) by device ID.
-
-## Limitations
-1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
-
-## HTTP request
-
-```
-GET /api/machines/{machineId}/getmissingkbs
-```
-
-## Request header
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the specified device missing kb data in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
-```
-
-### Response
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
- "value": [
- {
- "id": "4540673",
- "name": "March 2020 Security Updates",
- "productsNames": [
- "windows_10",
- "edge",
- "internet_explorer"
- ],
- "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
- "machineMissedOn": 1,
- "cveAddressed": 97
- },
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
deleted file mode 100644
index 3b53dabe02..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Get missing KBs by software ID
-description: Retrieves missing security updates by software ID
-keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get missing KBs by software ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieves missing KBs (security updates) by software ID
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-
-```
-GET /api/Software/{Id}/getmissingkbs
-```
-
-## Request header
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the specified software missing kb data in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs
-```
-
-### Response
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
- "value": [
- {
- "id": "4540673",
- "name": "March 2020 Security Updates",
- "productsNames": [
- "edge"
- ],
- "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
- "machineMissedOn": 240,
- "cveAddressed": 14
- },
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
deleted file mode 100644
index 2683556f81..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Get package SAS URI API
-description: Use this API to get a URI that allows downloading an investigation package.
-keywords: apis, graph api, supported apis, get package, sas, uri
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get package SAS URI API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action id}/getPackageUri
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
- "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
-}
-
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
deleted file mode 100644
index 5548416186..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get recommendation by ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
deleted file mode 100644
index fa448849b7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List devices by recommendation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
deleted file mode 100644
index 0fcdc3e55a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get recommendation by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
deleted file mode 100644
index e4a52ff2a7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List vulnerabilities by recommendation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
deleted file mode 100644
index 2581a14cb0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get security recommendations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## API description
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Limitations
-1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
deleted file mode 100644
index 43ed0055bf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Get software by Id
-description: Retrieves a list of sofware by ID.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get software by Id
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
deleted file mode 100644
index 897e0c91a7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List software version distribution
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
deleted file mode 100644
index b070207ed0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List software inventory API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
deleted file mode 100644
index d126296521..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Become a Microsoft Defender for Endpoint partner
-ms.reviewer:
-description: Learn the steps and requirements to integrate your solution with Microsoft Defender ATP and be a partner
-keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Become a Microsoft Defender for Endpoint partner
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.
-
-## Step 1: Subscribe to a Microsoft Defender for Endpoint Developer license
-Subscribe to the [Microsoft Defender for Endpoint Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender for Endpoint.
-
-## Step 2: Fulfill the solution validation and certification requirements
-The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender for Endpoint team.
-
-Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
-
-## Step 3: Become a Microsoft Intelligent Security Association member
-[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products.
-
-## Step 4: Get listed in the Microsoft Defender for Endpoint partner application portal
-Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.
-
-To have your company listed as a partner in the in-product partner page, you will need to provide the following information:
-
-1. A square logo (SVG).
-2. Name of the product to be presented.
-3. Provide a 15-word product description.
-4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
-5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.
-6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
-
- Follow these steps:
-
- - Set the User-Agent field in each HTTP request header to the below format.
-
- - `MdePartner-{CompanyName}-{ProductName}/{Version}`
-
- - For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0`
-
- - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).
-
-Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
-
-## Related topics
-- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
deleted file mode 100644
index 5a5ea5a354..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-title: List Indicators API
-description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
-keywords: apis, public api, supported apis, Indicators collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List Indicators API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of all active [Indicators](ti-indicator.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties.
-
See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
-## HTTP request
-```
-GET https://api.securitycenter.microsoft.com/api/indicators
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator.md) entities.
-
->[!Note]
-> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created.
-
-## Example 1:
-
-**Request**
-
-Here is an example of a request that gets all Indicators
-
-```http
-GET https://api.securitycenter.microsoft.com/api/indicators
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
- "value": [
- {
- "id": "995",
- "indicatorValue": "12.13.14.15",
- "indicatorType": "IpAddress",
- "action": "Alert",
- "application": "demo-test",
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "test",
- "rbacGroupNames": []
- },
- {
- "id": "996",
- "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
- }
- ...
- ]
-}
-```
-
-## Example 2:
-
-**Request**
-
-Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-
-```http
-GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
- "value": [
- {
- "id": "997",
- "indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
- }
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
deleted file mode 100644
index d4d47fa618..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Get user information API
-description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, user, user information
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get user information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Retrieve a User entity by key (user name).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | User.Read.All | 'Read all user profiles'
-
-## HTTP request
-```
-GET /api/users/{id}/
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exists - 200 OK with [user](user.md) entity in the body. If user does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/users/user1
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
- "id": "user1",
- "firstSeen": "2018-08-02T00:00:00Z",
- "lastSeen": "2018-08-04T00:00:00Z",
- "mostPrevalentMachineId": null,
- "leastPrevalentMachineId": null,
- "logonTypes": "Network",
- "logOnMachinesCount": 3,
- "isDomainAdmin": false,
- "isOnlyNetworkUser": null
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
deleted file mode 100644
index 341e56d35d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Get user-related alerts API
-description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, user, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get user-related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of alerts related to a given user ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md).
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/users/{id}/alerts
-```
-
-**The ID is not the full UPN, but only the user name. (for example, to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exists - 200 OK. If the user does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/users/user1/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
deleted file mode 100644
index b91c080c8e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Get user-related machines API
-description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, user, user related alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get user-related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Retrieves a collection of devices related to a given user ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) )
->- Response will include only devices that the user can access, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
-
-## HTTP request
-```
-GET /api/users/{id}/machines
-```
-
-**The ID is not the full UPN, but only the user name. (for example, to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
-
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exists - 200 OK with list of [machine](machine.md) entities in the body. If user does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/users/user1/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
deleted file mode 100644
index 762572746a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# List vulnerabilities by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
deleted file mode 100644
index 441ac6bf08..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Get vulnerability by ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md
deleted file mode 100644
index 972dc7f639..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/gov.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Microsoft Defender for Endpoint for US Government customers
-description: Learn about the requirements and the available Microsoft Defender for Endpoint capabilities for US Government customers
-keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp, endpoint, dod
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for US Government customers
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Microsoft Defender for Endpoint for US Government customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial.
-
-This offering is currently available to Microsoft 365 GCC and GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some differences in the availability of capabilities for this offering.
-
-> [!NOTE]
-> If you are a "GCC on Commercial" customer, please refer to the public documentation pages.
-
-## Portal URLs
-The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
-
-Customer type | Portal URL
-:---|:---
-GCC | https://gcc.securitycenter.microsoft.us
-GCC High | https://securitycenter.microsoft.us
-
-
-
-## Endpoint versions
-
-### Standalone OS versions
-The following OS versions are supported:
-
-OS version | GCC | GCC High
-:---|:---|:---
-Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  | 
-Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  | 
-Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
-Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
-Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) |  | 
-Windows 10, version 1709 | 
Note: Won't be supported |  With [KB4499147](https://support.microsoft.com/help/4499147)
Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
-Windows 10, version 1703 and earlier | 
Note: Won't be supported | 
Note: Won't be supported
-Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows Server 2016 |  |  In development
-Windows Server 2012 R2 |  |  In development
-Windows Server 2008 R2 SP1 |  |  In development
-Windows 8.1 Enterprise |  |  In development
-Windows 8 Pro |  |  In development
-Windows 7 SP1 Enterprise |  |  In development
-Windows 7 SP1 Pro |  |  In development
-Linux |  In development |  In development
-macOS |  In development |  In development
-Android |  On engineering backlog |  On engineering backlog
-iOS |  On engineering backlog |  On engineering backlog
-
-> [!NOTE]
-> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
-
-> [!NOTE]
-> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
-
-### OS versions when using Azure Defender for Servers
-The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
-
-OS version | GCC | GCC High
-:---|:---|:---
-Windows Server 2016 |  Rolling out | 
-Windows Server 2012 R2 |  Rolling out | 
-Windows Server 2008 R2 SP1 |  Rolling out | 
-
-
-
-## Required connectivity settings
-You'll need to ensure that traffic from the following are allowed:
-
-Service location | DNS record
-:---|:---
-Common URLs for all locations (Global location) | `crl.microsoft.com`
`ctldl.windowsupdate.com`
`notify.windows.com`
`settings-win.data.microsoft.com`
Note: `settings-win.data.microsoft.com` is only needed on Windows 10 devices running version 1803 or earlier.
-Common URLs for all US Gov customers | `us4-v20.events.data.microsoft.com`
`*.blob.core.usgovcloudapi.net`
-Defender for Endpoint GCC specific | `winatp-gw-usmt.microsoft.com`
`winatp-gw-usmv.microsoft.com`
-Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`winatp-gw-usgv.microsoft.com`
-
-
-
-## API
-Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
-
-Endpoint type | GCC | GCC High
-:---|:---|:---
-Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us`
-Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us`
-SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https://wdatp-alertexporter-us.securitycenter.windows.us`
-
-
-
-## Feature parity with commercial
-Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
-
-These are the known gaps as of January 2021:
-
-Feature name | GCC | GCC High
-:---|:---|:---
-Automated investigation and remediation: Live response |  |  In development
-Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog
-Email notifications |  Rolling out |  In development
-Evaluation lab |  |  In development
-Management and APIs: Device health and compliance report |  |  In development
-Management and APIs: Integration with third-party products |  |  In development
-Management and APIs: Streaming API |  |  In development
-Management and APIs: Threat protection report |  |  In development
-Threat & vulnerability management |  |  In development
-Threat analytics |  |  In development
-Web content filtering |  In development |  In development
-Integrations: Azure Sentinel |  |  In development
-Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Intune |  |  In development
-Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development
-Integrations: Skype for Business / Teams |  |  In development
-Microsoft Threat Experts |  On engineering backlog |  On engineering backlog
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
deleted file mode 100644
index f5397c26f3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Grant access to managed security service provider (MSSP)
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Grant managed security service provider (MSSP) access (preview)
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-To implement a multi-tenant delegated access solution, take the following steps:
-
-1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Active Directory (AD) groups.
-
-2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
-
-3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
-
-## Enable role-based access controls in Microsoft Defender for Endpoint
-
-1. **Create access groups for MSSP resources in Customer AAD: Groups**
-
- These groups will be linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
-
- - Tier 1 Analyst
- - Tier 2 Analyst
- - MSSP Analyst Approvers
-
-
-2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint.
-
- To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
-
- 
-
- Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups".
-
- Two possible roles:
-
- - **Tier 1 Analysts**
- Perform all actions except for live response and manage security settings.
-
- - **Tier 2 Analysts**
- Tier 1 capabilities with the addition to [live response](live-response.md)
-
- For more information, see [Use role-based access control](rbac.md).
-
-
-
-## Configure Governance Access Packages
-
-1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
-
- Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
-
- To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
-
-2. **Create a resource catalog in Customer AAD: Identity Governance**
-
- Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
-
- To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
-
- 
-
- Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
-
-
-3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
-
- Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
-
- To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
-
- - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
- - Has annual access reviews, where the SOC analysts can request an access extension
- - Can only be requested by users in the MSSP SOC Tenant
- - Access auto expires after 365 days
-
- 
-
- For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
-
-
-4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
-
- The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
-
-
- 
-
- The link is located on the overview page of each access package.
-
-## Manage access
-
-1. Review and authorize access requests in Customer and/or MSSP myaccess.
-
- Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
-
- To do so, access the customer's myaccess using:
- `https://myaccess.microsoft.com/@
CIDR notation for IPs is not supported.
-
-## Limitations
-1. Rate limitations for this API are 30 calls per minute.
-2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
-3. Maximum batch size for one API call is 500.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/indicators/import
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required**
-
-
-## Response
-- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below.
-- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/indicators/import
-```
-
-```json
-{
- "Indicators":
- [
- {
- "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "title": "demo",
- "application": "demo-test",
- "expirationTime": "2021-12-12T00:00:00Z",
- "action": "Alert",
- "severity": "Informational",
- "description": "demo2",
- "recommendedActions": "nothing",
- "rbacGroupNames": ["group1", "group2"]
- },
- {
- "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222",
- "indicatorType": "FileSha256",
- "title": "demo2",
- "application": "demo-test2",
- "expirationTime": "2021-12-12T00:00:00Z",
- "action": "Alert",
- "severity": "Medium",
- "description": "demo2",
- "recommendedActions": "nothing",
- "rbacGroupNames": []
- }
- ]
-}
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "value": [
- {
- "id": "2841",
- "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "isFailed": false,
- "failureReason": null
- },
- {
- "id": "2842",
- "indicator": "2233223322332233223322332233223322332233223322332233223322332222",
- "isFailed": false,
- "failureReason": null
- }
- ]
-}
-```
-
-## Related topic
-- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
deleted file mode 100644
index 40baef0411..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Create indicators based on certificates
-ms.reviewer:
-description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities.
-keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create indicators based on certificates
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-You can create indicators for certificates. Some common use cases include:
-
-- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list.
-- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same.
-
-
-### Before you begin
-
-It's important to understand the following requirements prior to creating indicators for certificates:
-
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
-- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
-- The virus and threat protection definitions must be up to date.
-- This feature currently supports entering .CER or .PEM file extensions.
-
->[!IMPORTANT]
-> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
->- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
->- Microsoft signed certificates cannot be blocked.
-
-#### Create an indicator for certificates from the settings page:
-
->[!IMPORTANT]
-> It can take up to 3 hours to create and remove a certificate IoC.
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the **Certificate** tab.
-
-3. Select **Add indicator**.
-
-4. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-## Related topics
-- [Create indicators](manage-indicators.md)
-- [Create indicators for files](indicator-file.md)
-- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
deleted file mode 100644
index 78a28933b4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Create indicators for files
-ms.reviewer:
-description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
-keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create indicators for files
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
-
-There are two ways you can create indicators for files:
-- By creating an indicator through the settings page
-- By creating a contextual indicator using the add indicator button from the file details page
-
-### Before you begin
-It's important to understand the following prerequisites prior to creating indicators for files:
-
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
-- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
-- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
-
->[!IMPORTANT]
->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
->- Trusted signed files will be treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
-
-
->[!NOTE]
->Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.
-
-### Create an indicator for files from the settings page
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the **File hash** tab.
-
-3. Select **Add indicator**.
-
-4. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-### Create a contextual indicator from the file details page
-One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file.
-
-When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
-
-Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
-
-
-## Related topics
-- [Create indicators](manage-indicators.md)
-- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
deleted file mode 100644
index 4491cd3549..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Create indicators for IPs and URLs/domains
-ms.reviewer:
-description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
-keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create indicators for IPs and URLs/domains
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
-
-The threat intelligence data set for this has been managed by Microsoft.
-
-By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
-
-> [!NOTE]
-> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
-
-### Before you begin
-It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
-- URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
-- The Antimalware client version must be 4.18.1906.x or later.
-- Supported on machines on Windows 10, version 1709 or later.
-- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
-- For support of indicators on iOS, see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
-
-
-> [!IMPORTANT]
-> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
-> NOTE:
-> - IP is supported for all three protocols
-> - Only single IP addresses are supported (no CIDR blocks or IP ranges)
-> - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
-> - Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
-> - Full URL path blocks can be applied on the domain level and all unencrypted URLs
-
-> [!NOTE]
-> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
-
-### Create an indicator for IPs, URLs, or domains from the settings page
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the **IP addresses or URLs/Domains** tab.
-
-3. Select **Add item**.
-
-4. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-## Related topics
-- [Create indicators](manage-indicators.md)
-- [Create indicators for files](indicator-file.md)
-- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
deleted file mode 100644
index 347e36b6a5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: Manage indicators
-ms.reviewer:
-description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Manage indicators
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the tab of the entity type you'd like to manage.
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list of IoCs
-
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
-
-Download the sample CSV to know the supported column attributes.
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the tab of the entity type you'd like to import indicators for.
-
-3. Select **Import** > **Choose file**.
-
-4. Select **Import**. Do this for all the files you'd like to import.
-
-5. Select **Done**.
-
-The following table shows the supported parameters.
-
-Parameter | Type | Description
-:---|:---|:---
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
-severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-category | String | Category of the alert. Examples include: Execution and credential access. **Optional**
-mitretechniques| String | MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique.
-
-For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748).
-
-
-## See also
-- [Create indicators](manage-indicators.md)
-- [Create indicators for files](indicator-file.md)
-- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Create indicators based on certificates](indicator-certificates.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
deleted file mode 100644
index 1c11db4157..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Information protection in Windows overview
-ms.reviewer:
-description: Learn about how information protection works in Windows to identify and protect sensitive information
-keywords: information, protection, dlp, data, loss, prevention, protect
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Information protection in Windows overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
-
-
->[!TIP]
-> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-
-Defender for Endpoint applies the following methods to discover, classify, and protect data:
-
-- **Data discovery** - Identify sensitive data on Windows devices at risk
-- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.
-
-
-## Data discovery and data classification
-
-Defender for Endpoint automatically discovers files with sensitivity labels and files that contain sensitive information types.
-
-Sensitivity labels classify and help protect sensitive content.
-
-Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
-
-- Default
-- Custom
-
-Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
-
-Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-
-When a file is created or edited on a Windows device, Defender for Endpoint scans the content to evaluate if it contains sensitive information.
-
-Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Defender for Endpoint though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
-
-
-
-The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard.
-
-## Azure Information Protection - Data discovery dashboard
-
-This dashboard presents a summarized discovery information of data discovered by both Defender for Endpoint and Azure Information Protection. Data from Defender for Endpoint is marked with Location Type - Endpoint.
-
-
-
-Notice the Device Risk column on the right, this device risk is derived directly from Defender for Endpoint, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Defender for Endpoint.
-
-Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
-
->[!NOTE]
->Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
-
-## Log Analytics
-
-Data discovery based on Defender for Endpoint is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
-
-For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
-
-Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
-
-To view Defender for Endpoint data, perform a query that contains:
-
-```
-InformationProtectionLogs_CL
-| where Workload_s == "Windows Defender"
-```
-
-**Prerequisites:**
-
-- Customers must have a subscription for Azure Information Protection.
-- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
deleted file mode 100644
index 6299559448..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Use sensitivity labels to prioritize incident response
-description: Learn how to use sensitivity labels to prioritize and investigate incidents
-keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Use sensitivity labels to prioritize incident response
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
-
-Defender for Endpoint helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information.
-
-## Investigate incidents that involve sensitive data
-Learn how to use data sensitivity labels to prioritize incident investigation.
-
->[!NOTE]
->Labels are detected for Windows 10, version 1809 or later.
-
-1. In Microsoft Defender Security Center, select **Incidents**.
-
-2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
-
- 
-
- You can also filter based on **Data sensitivity**
-
- 
-
-3. Open the incident page to further investigate.
-
- 
-
-4. Select the **Devices** tab to identify devices storing files with sensitivity labels.
-
- 
-
-
-5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
-
- You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
-
- 
-
-
->[!TIP]
->These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
deleted file mode 100644
index 5617ebcae7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Start Investigation API
-description: Use this API to start investigation on a device.
-keywords: apis, graph api, supported apis, investigation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Start Investigation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Start automated investigation on a device.
-
See [Overview of automated investigations](automated-investigations.md) for more information.
-
-
-## Limitations
-1. Rate limitations for this API are 50 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-
-## Response
-If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
-```
-
-```json
-{
- "Comment": "Test investigation"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
deleted file mode 100644
index b58e9f2197..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection alerts
-description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
-keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Investigate alerts in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-
-Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-
-Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
-
-From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
-
-## Investigate using the alert story
-
-The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
-
-Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
-
-Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
-
-> [!NOTE]
-> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
-
-
-
-## Take action from the details pane
-
-Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page.
-
-Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
-
-If you classify it as a true alert, you can also select a determination, as shown in the image below.
-
-
-
-If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
-
-
-
-> [!TIP]
-> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
-
-
-## Related topics
-- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Defender for Endpoint](investigate-user.md)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
deleted file mode 100644
index 179a53a1fd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Investigate connection events that occur behind forward proxies
-description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
-keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Investigate connection events that occur behind forward proxies
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-
-Defender for Endpoint supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
-
-The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
-
-Defender for Endpoint supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
-
-## Use network protection to monitor network connection behind a firewall
-Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode).
-
-Network protection can be controlled using the following modes:
-
-- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.
-- **Audit**
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
-
-
-If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
-
-If you do not configure it, network blocking will be turned off by default.
-
-For more information, see [Enable network protection](enable-network-protection.md).
-
-## Investigation impact
-When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up.
-
-
-
-Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
-
-Event's information:
-
-
-
-
-
-## Hunt for connection events using advanced hunting
-All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type.
-
-Using this simple query will show you all the relevant events:
-
-```
-DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess"
-| take 10
-```
-
-
-
-You can also filter out events that are related to connection to the proxy itself.
-
-Use the following query to filter out the connections to the proxy:
-
-```
-DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
-| take 10
-```
-
-
-
-## Related topics
-- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
deleted file mode 100644
index 5297a8957a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection domains
-description: Use the investigation options to see if devices and servers have been communicating with malicious domains.
-keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-# Investigate a domain associated with a Microsoft Defender for Endpoint alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
-
-Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain.
-
-You can investigate a domain by using the search feature or by clicking on a domain link from the **Device timeline**.
-
-You can see information from the following sections in the URL view:
-
-- URL details, Contacts, Nameservers
-- Alerts related to this URL
-- URL in organization
-- Most recent observed devices with URL
-
-## URL worldwide
-
-The **URL Worldwide** section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.
-
-## Incident
-
-The **Incident** card displays a bar chart of all active alerts in incidents over the past 180 days.
-
-## Prevalence
-
-The **Prevalence** card provides details on the prevalence of the URL within the organization, over a specified period of time.
-
-Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past 6 months.
-
-## Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.
-
-The Alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting **items per page** on the same menu.
-
-## Observed in organization
-
-The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, device, and a brief description of what happened.
-
-You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
-
-**Investigate a domain:**
-
-1. Select **URL** from the **Search bar** drop-down menu.
-2. Enter the URL in the **Search** field.
-3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from devices in the organization.
-4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
-5. Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
-
-## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
deleted file mode 100644
index 0f4a60d9b5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection files
-description: Use the investigation options to get details on files associated with alerts, behaviors, or events.
-keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Investigate a file associated with a Microsoft Defender for Endpoint alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
-
-Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-
-There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Device timeline**.
-
-Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-
-You can get information from the following sections in the file view:
-
-- File details, Malware detection, File prevalence
-- Deep analysis
-- Alerts
-- Observed in organization
-- Deep analysis
-- File names
-
-You can also take action on a file from this page.
-
-## File actions
-
-Along the top of the profile page, above the file information cards. Actions you can perform here include:
-
-- Stop and quarantine
-- Add/edit indicator
-- Download file
-- Consult a threat expert
-- Action center
-
-For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
-
-## File details, Malware detection, and File prevalence
-
-The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
-
-You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.
-
-
-
-## Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-
-
-
-## Observed in organization
-
-The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
-
->[!NOTE]
->This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-
-
-
-Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
-
-## Deep analysis
-
-The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
-
-
-
-## File names
-
-The **File names** tab lists all names the file has been observed to use, within your organizations.
-
-
-
-## Related topics
-
-- [View and organize the Microsoft Defender for Endpoint queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
-- [Take response actions on a file](respond-file-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
deleted file mode 100644
index 7b03162e01..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Investigate incidents in Microsoft Defender ATP
-description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident
-keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Investigate incidents in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
-
-When you investigate an incident, you'll see:
-- Incident details
-- Incident comments and actions
-- Tabs (alerts, devices, investigations, evidence, graph)
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
-
-
-## Analyze incident details
-Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
-
-
-
-### Alerts
-You can investigate the alerts and see how they were linked together in an incident.
-Alerts are grouped into incidents based on the following reasons:
-- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
-- File characteristics - The files associated with the alert have similar characteristics
-- Manual association - A user manually linked the alerts
-- Proximate time - The alerts were triggered on the same device within a certain timeframe
-- Same file - The files associated with the alert are exactly the same
-- Same URL - The URL that triggered the alert is exactly the same
-
-
-
-You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
-
-### Devices
-You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md).
-
-
-
-### Investigations
-Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
-
-
-
-## Going through the evidence
-Microsoft Defender for Endpoint automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, and more.
-
-Each of the analyzed entities will be marked as infected, remediated, or suspicious.
-
-
-
-## Visualizing associated cybersecurity threats
-Microsoft Defender for Endpoint aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
-
-### Incident graph
-The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc.
-
-
-
-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it’s been observed in your organization, if so, how many instances.
-
-
-
-## Related topics
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [Investigate incidents in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents)
-- [Manage Microsoft Defender for Endpoint incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
deleted file mode 100644
index a9f13f2327..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Investigate an IP address associated with an alert
-description: Use the investigation options to examine possible communication between devices and external IP addresses.
-keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-
-# Investigate an IP address associated with a Microsoft Defender for Endpoint alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-
-Examine possible communication between your devices and external internet protocol (IP) addresses.
-
-Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices.
-
-You can find information from the following sections in the IP address view:
-
-- IP worldwide
-- Reverse DNS names
-- Alerts related to this IP
-- IP in organization
-- Prevalence
-
-## IP Worldwide and Reverse DNS names
-
-The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
-
-## Alerts related to this IP
-
-The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
-
-## IP in organization
-
-The **IP in organization** section provides details on the prevalence of the IP address in the organization.
-
-## Prevalence
-
-The **Prevalence** section displays how many devices have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
-
-## Most recent observed devices with IP
-
-The **Most recent observed devices** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
-
-**Investigate an external IP:**
-
-1. Select **IP** from the **Search bar** drop-down menu.
-2. Enter the IP address in the **Search** field.
-3. Click the search icon or press **Enter**.
-
-Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address.
-
-> [!NOTE]
-> Search results will only be returned for IP addresses observed in communication with devices in the organization.
-
-Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
-
-Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
-
-## Related topics
-
-- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
deleted file mode 100644
index 5fe4f76ffc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ /dev/null
@@ -1,199 +0,0 @@
----
-title: Investigate devices in the Defender for Endpoint Defender ATP Devices list
-description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health.
-keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Investigate devices in the Microsoft Defender for Endpoint Devices list
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-
-Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
-
-> [!NOTE]
-> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
-
-You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
-
-- [Devices list](investigate-machines.md)
-- [Alerts queue](alerts-queue.md)
-- [Security operations dashboard](security-operations-dashboard.md)
-- Any individual alert
-- Any individual file details view
-- Any IP address or domain details view
-
-When you investigate a specific device, you'll see:
-
-- Device details
-- Response actions
-- Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)
-- Cards (active alerts, logged on users, security assessment)
-
-
-
-## Device details
-
-The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package.
-
-## Response actions
-
-Response actions run along the top of a specific device page and include:
-
-- Manage tags
-- Isolate device
-- Restrict app execution
-- Run antivirus scan
-- Collect investigation package
-- Initiate Live Response Session
-- Initiate automated investigation
-- Consult a threat expert
-- Action center
-
-You can take response actions in the Action center, in a specific device page, or in a specific file page.
-
-For more information on how to take action on a device, see [Take response action on a device](respond-machine-alerts.md).
-
-For more information, see [Investigate user entities](investigate-user.md).
-
-## Tabs
-
-The tabs provide relevant security and threat prevention information related to the device. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
-
-### Overview
-The **Overview** tab displays the [cards](#cards) for active alerts, logged on users, and security assessment.
-
-
-
-### Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
-
-
-
-When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time.
-
-To see a full page view of an alert including incident graph and process tree, select the title of the alert.
-
-### Timeline
-
-The **Timeline** tab provides a chronological view of the events and associated alerts that have been observed on the device. This can help you correlate any events, files, and IP addresses in relation to the device.
-
-The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a device over a selected time period. To further control your view, you can filter by event groups or customize the columns.
-
->[!NOTE]
-> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
->Firewall covers the following events
->
->- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
->- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
-
-
-
-Some of the functionality includes:
-
-- Search for specific events
- - Use the search bar to look for specific timeline events.
-- Filter events from a specific date
- - Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the device timeline is set to display the events from the past 30 days.
- - Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
-- Export detailed device timeline events
- - Export the device timeline for the current date or a specified date range up to seven days.
-
-More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example:
-
-- Contained by Application Guard - the web browser event was restricted by an isolated container
-- Active threat detected - the threat detection occurred while the threat was running
-- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
-- Remediation successful - the detected threat was stopped and cleaned
-- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user
-- Suspicious script detected - a potentially malicious script was found running
-- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
-
-#### Event details
-Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
-
-To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
-
-
-
-### Security recommendations
-
-**Security recommendations** are generated from Microsoft Defender for Endpoint's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
-
-
-
-### Software inventory
-
-The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
-
-
-
-### Discovered vulnerabilities
-
-The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
-
-
-
-### Missing KBs
-The **Missing KBs** tab lists the missing security updates for the device.
-
-
-
-## Cards
-
-### Active alerts
-
-The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-
-
-
->[!NOTE]
->You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-
-### Logged on users
-
-The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
-
-
-
-### Security assessments
-
-The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations.
-
-
-
-## Related topics
-
-- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md)
-- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Defender for Endpoint](investigate-user.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
deleted file mode 100644
index 694b64620b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Investigate a user account in Microsoft Defender ATP
-description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
-keywords: investigate, account, user, user entity, alert, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
-ms.technology: mde
----
-# Investigate a user account in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
-
-## Investigate user account entities
-
-Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between devices with that user account.
-
-You can find user account information in the following views:
-
-- Dashboard
-- Alert queue
-- Device details page
-
-A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
-
-When you investigate a user account entity, you'll see:
-
-- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and logged on devices, role, logon type, and other details
-- Overview of the incidents and user's devices
-- Alerts related to this user
-- Observed in organization (devices logged on to)
-
-
-
-### User details
-
-The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.
-
->[!NOTE]
->You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-
-The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account.
-
-### Overview
-
-The **Overview** tab shows the incidents details and a list of the devices that the user has logged on to. You can expand these to see details of the log-on events for each device.
-
-### Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
-
-### Observed in organization
-
-The **Observed in organization** tab allows you to specify a date range to see a list of devices where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these devices, and total observed users on each device.
-
-Selecting an item on the Observed in organization table will expand the item, revealing more details about the device. Directly selecting a link within an item will send you to the corresponding page.
-
-## Search for specific user accounts
-
-1. Select **User** from the **Search bar** drop-down menu.
-2. Enter the user account in the **Search** field.
-3. Click the search icon or press **Enter**.
-
-A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of devices it was observed logged on to in the last 30 days.
-
-You can filter the results by the following time periods:
-
-- 1 day
-- 3 days
-- 7 days
-- 30 days
-- 6 months
-
-## Related topics
-
-- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
deleted file mode 100644
index 64b309d544..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Investigation resource type
-description: Microsoft Defender ATP Investigation entity.
-keywords: apis, graph api, supported apis, get, alerts, investigations
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Investigation resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Represent an Automated Investigation entity in Defender for Endpoint.
-
See [Overview of automated investigations](automated-investigations.md) for more information.
-
-## Methods
-Method|Return Type |Description
-:---|:---|:---
-[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
-[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity.
-[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Identity of the investigation entity.
-startTime | DateTime Nullable | The date and time when the investigation was created.
-endTime | DateTime Nullable | The date and time when the investigation was completed.
-cancelledBy | String | The ID of the user/application that cancelled that investigation.
-investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-statusDetails | String | Additional information about the state of the investigation.
-machineId | String | The ID of the device on which the investigation is executed.
-computerDnsName | String | The name of the device on which the investigation is executed.
-triggeringAlertId | String | The ID of the alert that triggered the investigation.
-
-
-## Json representation
-
-```json
-{
- "id": "63004",
- "startTime": "2020-01-06T13:05:15Z",
- "endTime": null,
- "state": "Running",
- "cancelledBy": null,
- "statusDetails": null,
- "machineId": "e828a0624ed33f919db541065190d2f75e50a071",
- "computerDnsName": "desktop-test123",
- "triggeringAlertId": "da637139127150012465_1011995739"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
deleted file mode 100644
index 00fc73300c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Configure Microsoft Defender ATP for iOS features
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for iOS features
-keywords: microsoft, defender, atp, ios, configure, features, ios
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure Microsoft Defender for Endpoint for iOS features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!NOTE]
-> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-
-## Conditional Access with Defender for Endpoint for iOS
-Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies
-based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-
-For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
-
-## Web Protection and VPN
-
-By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
-
-While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
-
-1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**.
-1. Click or tap the "i" button for Microsoft Defender ATP.
-1. Toggle off **Connect On Demand** to disable VPN.
-
- > [!div class="mx-imgBorder"]
- > 
-
-> [!NOTE]
-> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
-
-## Co-existence of multiple VPN profiles
-
-Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
-
-
-## Configure compliance policy against jailbroken devices
-
-To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
-
-> [!NOTE]
-> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
-
-Follow the steps below to create a compliance policy against jailbroken devices.
-
-1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-2. Specify a name of the policy, for example "Compliance Policy for Jailbreak".
-3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
-
- > [!div class="mx-imgBorder"]
- > 
-
-4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**.
-6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
-
-## Configure custom indicators
-
-Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
-
-> [!NOTE]
-> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
-
-## Report unsafe site
-
-Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
deleted file mode 100644
index c58faa8d2e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: App-based deployment for Microsoft Defender ATP for iOS
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for iOS using an app
-keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy Microsoft Defender for Endpoint for iOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
-
-## Before you begin
-
-- Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
-
-> [!NOTE]
-> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
-
-## Deployment steps
-
-Deploy Defender for Endpoint for iOS via Intune Company Portal.
-
-### Add iOS store app
-
-1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**.
-
- > [!div class="mx-imgBorder"]
- 
-
-1. On the Add app page, click on **Search the App Store** and type **Microsoft Defender ATP** in the search bar. In the search results section, click on *Microsoft Defender ATP* and click **Select**.
-
-1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.
-
-1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**.
-
- > [!NOTE]
- > The selected user group should consist of Intune enrolled users.
-
- > [!div class="mx-imgBorder"]
- 
-
-1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page.
-
-1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
-
- > [!div class="mx-imgBorder"]
- 
-
-## Complete onboarding and check status
-
-1. Once Defender for Endpoint for iOS has been installed on the device, you
- will see the app icon.
-
- 
-
-2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS.
-
-3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Configure Microsoft Defender for Endpoint for Supervised Mode
-
-The Microsoft Defender for Endpoint for iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.
-
-### Configure Supervised Mode via Intune
-
-Intune allows you to configure the Defender for iOS app through an App Configuration policy.
-
- > [!NOTE]
- > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**.
-
- > [!div class="mx-imgBorder"]
- 
-
-1. In the *Create app configuration policy* page, provide the following information:
- - Policy Name
- - Platform: Select iOS/iPadOS
- - Targeted app: Select **Microsoft Defender ATP** from the list
-
- > [!div class="mx-imgBorder"]
- 
-
-1. In the next screen, select **Use configuration designer** as the format. Specify the following property:
- - Configuration Key: issupervised
- - Value type: String
- - Configuration Value: {{issupervised}}
-
- > [!div class="mx-imgBorder"]
- 
-
-1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.
-
-1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).
-
- When deploying to user groups, a user must sign in to a device before the policy applies.
-
- Click **Next**.
-
-1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
-
-1. Next, for enhanced Anti-phishing capabilities, you can deploy a custom profile on the supervised iOS devices. Follow the steps below:
- - Download the config profile from [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile)
- - Navigate to **Devices** -> **iOS/iPadOS** -> **Configuration profiles** -> **Create Profile**
-
- > [!div class="mx-imgBorder"]
- 
-
- - Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded above.
- - In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Click **Next**.
- - On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
-
-## Next Steps
-
-[Configure Defender for Endpoint for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
deleted file mode 100644
index 8bea026e5d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Privacy information - Microsoft Defender for Endpoint for iOS
-ms.reviewer:
-description: Describes privacy information for Microsoft Defender for Endpoint for iOS
-keywords: microsoft, defender, atp, ios, policy, overview
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Privacy information - Microsoft Defender for Endpoint for iOS
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md)
-
-> [!NOTE]
-> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
-
-Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
-
-For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md).
-
-## Required data
-
-Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
-
-Here is a list of the types of data being collected:
-
-### Web page or Network information
-
-- Domain name of the website only when a malicious connection or web page is detected.
-
-### Device and account information
-
-- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following:
-
- - Wi-Fi adapter MAC address
-
- - Randomly generated globally unique identifier (GUID)
-
-- Tenant, Device, and User information
-
- - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
-
- - Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
-
- - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted.
-
- - User Principal Name - Email ID of the user.
-
-### Product and service usage data
-
-The following information is collected only for Microsoft Defender for Endpoint app installed on the device.
-
-- App package info, including name, version, and app upgrade status.
-
-- Actions done in the app.
-
-- Crash report logs generated by iOS.
-
-- Memory usage data.
-
-## Optional Data
-
-Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
-
-Optional diagnostic data includes:
-
-- App, CPU, and network usage for Defender for Endpoint.
-
-- Features configured by the admin for Defender for Endpoint.
-
-Feedback Data is collected through in-app feedback provided by the user.
-
-- The user's email address, if they choose to provide it.
-
-- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
-
-For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
deleted file mode 100644
index aa2cb53ec8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
+++ /dev/null
@@ -1,232 +0,0 @@
----
-title: Microsoft Defender ATP for iOS Application license terms
-ms.reviewer:
-description: Describes the Microsoft Defender ATP for iOS license terms
-keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: sunasing
-author: sunasing
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-hideEdit: true
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for iOS application license terms
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
-
-These license terms ("Terms") are an agreement between Microsoft Corporation (or
-based on where you live, one of its affiliates) and you. Please read them. They
-apply to the application named above. These Terms also apply to any Microsoft
-
-- updates,
-
-- supplements,
-
-- Internet-based services, and
-
-- support services
-
-for this application, unless other terms accompany those items. If so, those
-terms apply.
-
-**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
-DO NOT USE THE APPLICATION.**
-
-**If you comply with these Terms, you have the perpetual rights below.**
-
-1. **INSTALLATION AND USE RIGHTS.**
-
- 1. **Installation and Use.** You may install and use any number of copies
- of this application on iOS enabled device or devices which you own
- or control. You may use this application with your company's valid
- subscription of Defender for Endpoint or
- an online service that includes MDATP functionalities.
-
- 2. **Updates.** Updates or upgrades to MDATP may be required for full
- functionality. Some functionality may not be available in all countries.
-
- 3. **Third Party Programs.** The application may include third party
- programs that Microsoft, not the third party, licenses to you under this
- agreement. Notices, if any, for the third-party program are included for
- your information only.
-
-2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer and other services per the terms of the data
- service plan and any other agreement you have with your network operator due
- to use of the application. You are solely responsible for any network
- operator charges.
-
-3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
- the application. It may change or cancel them at any time.
-
- 1. Consent for Internet-Based or Wireless Services. The application may
- connect to Internet-based wireless services. Your use of the application
- operates as your consent to the transmission of standard device
- information (including but not limited to technical information about
- your device, system and application software, and peripherals) for
- Internet-based or wireless services. If other terms are provided in
- connection with your use of the services, those terms also apply.
-
- - Data. Some online services require, or may be enhanced by, the
- installation of local software like this one. At your, or your
- admin's direction, this software may send data from a device to or
- from an online service.
-
- - Usage Data. Microsoft automatically collects usage and performance
- data over the internet. This data will be used to provide and
- improve Microsoft products and services and enhance your experience.
- You may limit or control collection of some usage and performance
- data through your device settings. Doing so may disrupt your use of
- certain features of the application. For additional information on
- Microsoft's data collection and use, see the [Online Services
- Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
-
- 2. Misuse of Internet-based Services. You may not use any Internet-based
- service in any way that could harm it or impair anyone else's use of it
- or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account or network by any
- means.
-
-4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share and commercialize
- your feedback in any way and for any purpose. You also give to third
- parties, without charge, any patent rights needed for their products,
- technologies and services to use or interface with any specific parts of a
- Microsoft software or service that includes the feedback. You will not give
- feedback that is subject to a license that requires Microsoft to license its
- software or documentation to third parties because we include your feedback
- in them. These rights survive this agreement.
-
-5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
- only gives you some rights to use the application. Microsoft reserves all
- other rights. Unless applicable law gives you more rights despite this
- limitation, you may use the application only as expressly permitted in this
- agreement. In doing so, you must comply with any technical limitations in
- the application that only allow you to use it in certain ways. You may not
-
- - work around any technical limitations in the application;
-
- - reverse engineer, decompile or disassemble the application, except and
- only to the extent that applicable law expressly permits, despite this
- limitation;
-
- - make more copies of the application than specified in this agreement or
- allowed by applicable law, despite this limitation;
-
- - publish the application for others to copy;
-
- - rent, lease or lend the application; or
-
- - transfer the application or this agreement to any third party.
-
-6. **EXPORT RESTRICTIONS.** The application is subject to United States export
- laws and regulations. You must comply with all domestic and international
- export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users and end use. For additional
- information,
- see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
-
-7. **SUPPORT SERVICES.** Because this application is "as is," we may not
- provide support services for it. If you have any issues or questions about
- your use of this application, including questions about your company's
- privacy policy, please contact your company's admin. Do not contact the
- application store, your network operator, device manufacturer, or Microsoft.
- The application store provider has no obligation to furnish support or
- maintenance with respect to the application.
-
-8. **APPLICATION STORE.**
-
- 1. If you obtain the application through an application store (e.g., App
- Store), please review the applicable application store terms to ensure
- your download and use of the application complies with such terms.
- Please note that these Terms are between you and Microsoft and not with
- the application store.
-
- 2. The respective application store provider and its subsidiaries are third
- party beneficiaries of these Terms, and upon your acceptance of these
- Terms, the application store provider(s) will have the right to directly
- enforce and rely upon any provision of these Terms that grants them a
- benefit or rights.
-
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint and
- Microsoft 365 are registered or common-law trademarks of Microsoft
- Corporation in the United States and/or other countries.
-
-10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
- Internet-based services, and support services that you use are the entire
- agreement for the application and support services.
-
-11. **APPLICABLE LAW.**
-
- 1. **United States.** If you acquired the application in the United States,
- Washington state law governs the interpretation of this agreement and
- applies to claims for breach of it, regardless of conflict of laws
- principles. The laws of the state where you live govern all other
- claims, including claims under state consumer protection laws, unfair
- competition laws, and in tort.
-
- 2. **Outside the United States.** If you acquired the application in any
- other country, the laws of that country apply.
-
-12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
- have other rights under the laws of your country. You may also have rights
- with respect to the party from whom you acquired the application. This
- agreement does not change your rights under the laws of your country if the
- laws of your country do not permit it to do so.
-
-13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
- FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
- WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
- EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
- EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
- APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
- ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
- CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
- THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NON-INFRINGEMENT.**
-
- **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
-
-14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
- PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
- ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
- DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
- INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
-
-This limitation applies to:
-
-- anything related to the application, services, content (including code) on
- third party Internet sites, or third party programs; and
-
-- claims for breach of contract, warranty, guarantee or condition; consumer
- protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass or other tort; violation of statute or
- regulation; or unjust enrichment; all to the extent permitted by applicable
- law.
-
-It also applies even if:
-
-a. Repair, replacement or refund for the application does not fully compensate
- you for any losses; or
-
-b. Covered Parties knew or should have known about the possibility of the
- damages.
-
-The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
deleted file mode 100644
index 15f0c9b691..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Isolate machine API
-description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, isolate device
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Isolate machine API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Isolates a device from accessing external network.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Isolate | 'Isolate machine'
-Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
-
-**IsolationType** controls the type of isolation to perform and can be one of the following:
-- Full – Full isolation
-- Selective – Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details)
-
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
-```
-
-```json
-{
- "Comment": "Isolate machine due to alert 1234",
- "IsolationType": "Full"
-}
-```
-
-- To release a device from isolation, see [Release device from isolation](unisolate-machine.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
deleted file mode 100644
index 34da9afb03..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: Configure and validate exclusions for Microsoft Defender ATP for Linux
-description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
-keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure and validate exclusions for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
-
-> [!IMPORTANT]
-> The exclusions described in this article don't apply to other Defender for Endpoint for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
-
-You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Linux scans.
-
-Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Linux.
-
-> [!WARNING]
-> Defining exclusions lowers the protection offered by Defender for Endpoint for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-
-## Supported exclusion types
-
-The follow table shows the exclusion types supported by Defender for Endpoint for Linux.
-
-Exclusion | Definition | Examples
----|---|---
-File extension | All files with the extension, anywhere on the device | `.test`
-File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
-
-> [!IMPORTANT]
-> The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file
`file2.log` | `file123.log`
-
-## How to configure the list of exclusions
-
-### From the management console
-
-For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
-
-### From the command line
-
-Run the following command to see the available switches for managing exclusions:
-
-```bash
-mdatp exclusion
-```
-
-> [!TIP]
-> When configuring exclusions with wildcards, enclose the parameter in double-quotes to prevent globbing.
-
-Examples:
-
-- Add an exclusion for a file extension:
-
- ```bash
- mdatp exclusion extension add --name .txt
- ```
- ```Output
- Extension exclusion configured successfully
- ```
-
-- Add an exclusion for a file:
-
- ```bash
- mdatp exclusion file add --path /var/log/dummy.log
- ```
- ```Output
- File exclusion configured successfully
- ```
-
-- Add an exclusion for a folder:
-
- ```bash
- mdatp exclusion folder add --path /var/log/
- ```
- ```Output
- Folder exclusion configured successfully
- ```
-
-- Add an exclusion for a folder with a wildcard in it:
-
- ```bash
- mdatp exclusion folder add --path "/var/*/"
- ```
-
- > [!NOTE]
- > This will only exclude paths one level below */var/*, but not folders which are more deeply nested; for example, */var/this-subfolder/but-not-this-subfolder*.
-
- ```bash
- mdatp exclusion folder add --path "/var/"
- ```
- > [!NOTE]
- > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
-
- ```Output
- Folder exclusion configured successfully
- ```
-
-- Add an exclusion for a process:
-
- ```bash
- mdatp exclusion process add --name cat
- ```
- ```Output
- Process exclusion configured successfully
- ```
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using `curl` to download a test file.
-
-In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
-
-```bash
-curl -o test.txt https://www.eicar.org/download/eicar.com.txt
-```
-
-If Defender for Endpoint for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
-
-If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
-
-```bash
-echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
-```
-
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-
-## Allow threats
-
-In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
-
-To add a threat name to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name [threat-name]
-```
-
-The threat name associated with a detection on your device can be obtained using the following command:
-
-```bash
-mdatp threat list
-```
-
-For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
deleted file mode 100644
index 046ec05444..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ /dev/null
@@ -1,356 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux manually
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy Microsoft Defender for Endpoint for Linux manually
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks:
-
-- [Deploy Microsoft Defender for Endpoint for Linux manually](#deploy-microsoft-defender-for-endpoint-for-linux-manually)
- - [Prerequisites and system requirements](#prerequisites-and-system-requirements)
- - [Configure the Linux software repository](#configure-the-linux-software-repository)
- - [RHEL and variants (CentOS and Oracle Linux)](#rhel-and-variants-centos-and-oracle-linux)
- - [SLES and variants](#sles-and-variants)
- - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)
- - [Application installation](#application-installation)
- - [Download the onboarding package](#download-the-onboarding-package)
- - [Client configuration](#client-configuration)
- - [Log installation issues](#log-installation-issues)
- - [Operating system upgrades](#operating-system-upgrades)
- - [Uninstallation](#uninstallation)
-
-## Prerequisites and system requirements
-
-Before you get started, see [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-
-## Configure the Linux software repository
-
-Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
-
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
-> [!WARNING]
-> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
-### RHEL and variants (CentOS and Oracle Linux)
-
-- Install `yum-utils` if it isn't installed yet:
-
- ```bash
- sudo yum install yum-utils
- ```
-
-- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8.
-
- In the below commands, replace *[distro]* and *[version]* with the information you've identified:
-
- > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with “rhel”.
-
- ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
- ```
-
- For example, if you are running CentOS 7 and wish to deploy MDE for Linux from the *prod* channel:
-
- ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo
- ```
-
- Or if you wish to explore new features on selected devices, you might want to deploy MDE for Linux to *insiders-fast* channel:
-
- ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
- ```
-
-- Install the Microsoft GPG public key:
-
- ```bash
- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
- ```
-
-- Download and make usable all the metadata for the currently enabled yum repositories:
-
- ```bash
- yum makecache
- ```
-
-### SLES and variants
-
-- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`.
-
- In the following commands, replace *[distro]* and *[version]* with the information you've identified:
-
- ```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
- ```
-
- For example, if you are running SLES 12 and wish to deploy MDE for Linux from the *prod* channel:
-
- ```bash
- sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
- ```
-
-- Install the Microsoft GPG public key:
-
- ```bash
- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
- ```
-
-### Ubuntu and Debian systems
-
-- Install `curl` if it isn't installed yet:
-
- ```bash
- sudo apt-get install curl
- ```
-
-- Install `libplist-utils` if it isn't installed yet:
-
- ```bash
- sudo apt-get install libplist-utils
- ```
-
-- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`.
-
- In the below command, replace *[distro]* and *[version]* with the information you've identified:
-
- ```bash
- curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
- ```
-
- For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel:
-
- ```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
- ```
-
-- Install the repository configuration:
-
- ```bash
- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
- ```
- For example, if you chose *prod* channel:
-
- ```bash
- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
- ```
-
-- Install the `gpg` package if not already installed:
-
- ```bash
- sudo apt-get install gpg
- ```
-
- If `gpg` is not available, then install `gnupg`.
-
-- Install the Microsoft GPG public key:
-
- ```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
- ```
-
-- Install the https driver if it's not already present:
-
- ```bash
- sudo apt-get install apt-transport-https
- ```
-
-- Update the repository metadata:
-
- ```bash
- sudo apt-get update
- ```
-
-## Application installation
-
-- RHEL and variants (CentOS and Oracle Linux):
-
- ```bash
- sudo yum install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. Depending on the distribution and the version of your server, the repository alias might be different than the one in the following example.
-
- ```bash
- # list all repositories
- yum repolist
- ```
- ```Output
- ...
- packages-microsoft-com-prod packages-microsoft-com-prod 316
- packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
- ...
- ```
- ```bash
- # install the package from the production repository
- sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
- ```
-
-- SLES and variants:
-
- ```bash
- sudo zypper install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
-
- ```bash
- zypper repos
- ```
-
- ```Output
- ...
- # | Alias | Name | ...
- XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
- XX | packages-microsoft-com-prod | microsoft-prod | ...
- ...
- ```
- ```bash
- sudo zypper install packages-microsoft-com-prod:mdatp
- ```
-
-- Ubuntu and Debian system:
-
- ```bash
- sudo apt-get install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
-
- ```bash
- cat /etc/apt/sources.list.d/*
- ```
- ```Output
- deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
- deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
- ```
- ```bash
- sudo apt -t bionic install mdatp
- ```
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 devices)** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file.
- Extract the contents of the archive:
-
- ```bash
- ls -l
- ```
-
- ```Output
- total 8
- -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
- ```
-
-
-## Client configuration
-
-1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
-
- Initially the client device is not associated with an organization. Note that the *orgId* attribute is blank:
-
- ```bash
- mdatp health --field org_id
- ```
-
-2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device:
-
- ```bash
- python MicrosoftDefenderATPOnboardingLinuxServer.py
- ```
-
-3. Verify that the device is now associated with your organization and reports a valid organization identifier:
-
- ```bash
- mdatp health --field org_id
- ```
-
-4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
-
- ```bash
- mdatp health --field healthy
- ```
-
- > [!IMPORTANT]
- > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `false`. You can check the status of the definition update using the following command:
- > ```bash
- > mdatp health --field definitions_status
- > ```
- > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
-
-5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
-
- - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
-
- ```bash
- mdatp health --field real_time_protection_enabled
- ```
-
- - Open a Terminal window. Copy and execute the following command:
-
- ``` bash
- curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
- ```
-
- - The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats:
-
- ```bash
- mdatp threat list
- ```
-
-## Log installation issues
-
-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
-
-## Uninstallation
-
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint for Linux from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
deleted file mode 100644
index b0ac68a9e6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ /dev/null
@@ -1,268 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux with Ansible
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy Microsoft Defender for Endpoint for Linux with Ansible
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Defender for Endpoint for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
-
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Create Ansible YAML files](#create-ansible-yaml-files)
-- [Deployment](#deployment)
-- [References](#references)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
-
-- Ansible needs to be installed on at least one computer (we will call it the primary computer).
-- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
-- The following software must be installed on all clients:
- - curl
- - python-apt
-
-- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
-
- ```bash
- [servers]
- host1 ansible_ssh_host=10.171.134.39
- host2 ansible_ssh_host=51.143.50.51
- ```
-
-- Ping test:
-
- ```bash
- ansible -m ping all
- ```
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
-
- ```bash
- ls -l
- ```
- ```Output
- total 8
- -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: mdatp_onboard.json
- ```
-
-## Create Ansible YAML files
-
-Create a subtask or role files that contribute to an playbook or task.
-
-- Create the onboarding task, `onboarding_setup.yml`:
-
- ```bash
- - name: Create MDATP directories
- file:
- path: /etc/opt/microsoft/mdatp/
- recurse: true
- state: directory
- mode: 0755
- owner: root
- group: root
-
- - name: Register mdatp_onboard.json
- stat:
- path: /etc/opt/microsoft/mdatp/mdatp_onboard.json
- register: mdatp_onboard
-
- - name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
- unarchive:
- src: WindowsDefenderATPOnboardingPackage.zip
- dest: /etc/opt/microsoft/mdatp
- mode: 0600
- owner: root
- group: root
- when: not mdatp_onboard.stat.exists
- ```
-
-- Add the Defender for Endpoint repository and key.
-
- Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
-
- The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
- In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
- > [!WARNING]
- > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
- Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
- In the following commands, replace *[distro]* and *[version]* with the information you've identified.
-
- > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with “rhel”.
-
- ```bash
- - name: Add Microsoft APT key
- apt_key:
- keyserver: https://packages.microsoft.com/
- id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
- when: ansible_os_family == "Debian"
-
- - name: Add Microsoft apt repository for MDATP
- apt_repository:
- repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
- update_cache: yes
- state: present
- filename: microsoft-[channel].list
- when: ansible_os_family == "Debian"
-
- - name: Add Microsoft yum repository for MDATP
- yum_repository:
- name: packages-microsoft-com-prod-[channel]
- description: Microsoft Defender for Endpoint
- file: microsoft-[channel]
- baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
- gpgcheck: yes
- enabled: Yes
- when: ansible_os_family == "RedHat"
- ```
-
-- Create the Ansible install and uninstall YAML files.
-
- - For apt-based distributions use the following YAML file:
-
- ```bash
- cat install_mdatp.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - include: ../roles/onboarding_setup.yml
- - include: ../roles/add_apt_repo.yml
- - apt:
- name: mdatp
- state: latest
- update_cache: yes
- ```
-
- ```bash
- cat uninstall_mdatp.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - apt:
- name: mdatp
- state: absent
- ```
-
- - For yum-based distributions use the following YAML file:
-
- ```bash
- cat install_mdatp_yum.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - include: ../roles/onboarding_setup.yml
- - include: ../roles/add_yum_repo.yml
- - yum:
- name: mdatp
- state: latest
- enablerepo: packages-microsoft-com-prod-[channel]
- ```
-
- ```bash
- cat uninstall_mdatp_yum.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - yum:
- name: mdatp
- state: absent
- ```
-
-## Deployment
-
-Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
-
-- Installation:
-
- ```bash
- ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
- ```
-
-> [!IMPORTANT]
-> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.
-
-- Validation/configuration:
-
- ```bash
- ansible -m shell -a 'mdatp connectivity test' all
- ```
- ```bash
- ansible -m shell -a 'mdatp health' all
- ```
-
-- Uninstallation:
-
- ```bash
- ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
- ```
-
-## Log installation issues
-
-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
-
-## References
-
-- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
-
-- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)
-
-- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)
-
-- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
deleted file mode 100644
index 157fa13b36..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ /dev/null
@@ -1,247 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux with Puppet
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy Microsoft Defender for Endpoint for Linux with Puppet
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Defender for Endpoint for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
-
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Create Puppet manifest](#create-a-puppet-manifest)
-- [Deployment](#deployment)
-- [Check onboarding status](#check-onboarding-status)
-
-## Prerequisites and system requirements
-
- For a description of prerequisites and system requirements for the current software version, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md).
-
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file.
-
- ```bash
- ls -l
- ```
- ```Output
- total 8
- -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
-5. Extract the contents of the archive.
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: mdatp_onboard.json
- ```
-
-## Create a Puppet manifest
-
-You need to create a Puppet manifest for deploying Defender for Endpoint for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
-
-```bash
-pwd
-```
-```Output
-/etc/puppetlabs/code/environments/production/modules
-```
-
-```bash
-tree install_mdatp
-```
-```Output
-install_mdatp
-├── files
-│ └── mdatp_onboard.json
-└── manifests
- └── init.pp
-```
-
-### Contents of `install_mdatp/manifests/init.pp`
-
-Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
-
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
-> [!WARNING]
-> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
-Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
-In the below commands, replace *[distro]* and *[version]* with the information you've identified:
-
-> [!NOTE]
-> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'.
-
-```puppet
-# Puppet manifest to install Microsoft Defender ATP.
-# @param channel The release channel based on your environment, insider-fast or prod.
-# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'.
-# @param version The Linux distribution release number, e.g. 7.4.
-
-class install_mdatp (
-$channel = 'insiders-fast',
-$distro = undef,
-$version = undef
-){
- case $::osfamily {
- 'Debian' : {
- apt::source { 'microsoftpackages' :
- location => "https://packages.microsoft.com/${distro}/${version}/prod",
- release => $channel,
- repos => 'main',
- key => {
- 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
- 'server' => 'keyserver.ubuntu.com',
- },
- }
- }
- 'RedHat' : {
- yumrepo { 'microsoftpackages' :
- baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
- descr => "packages-microsoft-com-prod-${channel}",
- enabled => 1,
- gpgcheck => 1,
- gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
- }
- }
- default : { fail("${::osfamily} is currently not supported.") }
- }
-
- case $::osfamily {
- /(Debian|RedHat)/: {
- file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
- ensure => directory,
- owner => root,
- group => root,
- mode => '0755'
- }
-
- file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
- source => 'puppet:///modules/install_mdatp/mdatp_onboard.json',
- owner => root,
- group => root,
- mode => '0600',
- require => File['/etc/opt/microsoft/mdatp']
- }
-
- package { 'mdatp':
- ensure => 'installed',
- require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']
- }
- }
- default : { fail("${::osfamily} is currently not supported.") }
- }
-}
-```
-
-## Deployment
-
-Include the above manifest in your site.pp file:
-
-```bash
-cat /etc/puppetlabs/code/environments/production/manifests/site.pp
-```
-```Output
-node "default" {
- include install_mdatp
-}
-```
-
-Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
-
-## Monitor Puppet deployment
-
-On the agent device, you can also check the onboarding status by running:
-
-```bash
-mdatp health
-```
-```Output
-...
-licensed : true
-org_id : "[your organization identifier]"
-...
-```
-
-- **licensed**: This confirms that the device is tied to your organization.
-
-- **orgId**: This is your Defender for Endpoint organization identifier.
-
-## Check onboarding status
-
-You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
-
-```bash
-mdatp health --field healthy
-```
-
-The above command prints `1` if the product is onboarded and functioning as expected.
-
-> [!IMPORTANT]
-> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
-
-If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-
-- 1 if the device isn't onboarded yet.
-- 3 if the connection to the daemon cannot be established.
-
-## Log installation issues
-
- For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
-
-## Uninstallation
-
-Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
-
-```bash
-class remove_mdatp {
- package { 'mdatp':
- ensure => 'purged',
- }
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
deleted file mode 100644
index c745a4803c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ /dev/null
@@ -1,411 +0,0 @@
----
-title: Set preferences for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Set preferences for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
->[!IMPORTANT]
->This topic contains instructions for how to set preferences for Defender for Endpoint for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
-
-In enterprise environments, Defender for Endpoint for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
-
-This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
-
-## Configuration profile structure
-
-The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
-
-Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
-
-The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
-
-### Antivirus engine preferences
-
-The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
-
-|||
-|:---|:---|
-| **Key** | antivirusEngine |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable real-time protection
-
-Determines whether real-time protection (scan files as they are accessed) is enabled or not.
-
-|||
-|:---|:---|
-| **Key** | enableRealTimeProtection |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable passive mode
-
-Determines whether the antivirus engine runs in passive mode or not. In passive mode:
-- Real-time protection is turned off.
-- On-demand scanning is turned on.
-- Automatic threat remediation is turned off.
-- Security intelligence updates are turned on.
-- Status menu icon is hidden.
-
-|||
-|:---|:---|
-| **Key** | passiveMode |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Available in Defender for Endpoint version 100.67.60 or higher. |
-
-#### Exclusion merge policy
-
-Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
-
-|||
-|:---|:---|
-| **Key** | exclusionsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
-
-#### Scan exclusions
-
-Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
-
-|||
-|:---|:---|
-| **Key** | exclusions |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-**Type of exclusion**
-
-Specifies the type of content excluded from the scan.
-
-|||
-|:---|:---|
-| **Key** | $type |
-| **Data type** | String |
-| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
-
-**Path to excluded content**
-
-Used to exclude content from the scan by full file path.
-
-|||
-|:---|:---|
-| **Key** | path |
-| **Data type** | String |
-| **Possible values** | valid paths |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-**Path type (file / directory)**
-
-Indicates if the *path* property refers to a file or directory.
-
-|||
-|:---|:---|
-| **Key** | isDirectory |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-**File extension excluded from the scan**
-
-Used to exclude content from the scan by file extension.
-
-|||
-|:---|:---|
-| **Key** | extension |
-| **Data type** | String |
-| **Possible values** | valid file extensions |
-| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
-
-**Process excluded from the scan**
-
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
-
-|||
-|:---|:---|
-| **Key** | name |
-| **Data type** | String |
-| **Possible values** | any string |
-| **Comments** | Applicable only if *$type* is *excludedFileName* |
-
-#### Allowed threats
-
-List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
-
-|||
-|:---|:---|
-| **Key** | allowedThreats |
-| **Data type** | Array of strings |
-
-#### Disallowed threat actions
-
-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
-
-|||
-|:---|:---|
-| **Key** | disallowedThreatActions |
-| **Data type** | Array of strings |
-| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
-| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
-
-#### Threat type settings
-
-The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
-
-|||
-|:---|:---|
-| **Key** | threatTypeSettings |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-**Threat type**
-
-Type of threat for which the behavior is configured.
-
-|||
-|:---|:---|
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | potentially_unwanted_application
archive_bomb |
-
-**Action to take**
-
-Action to take when coming across a threat of the type specified in the preceding section. Can be:
-
-- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
-- **Block**: The device is protected against this type of threat and you are notified in the security console.
-- **Off**: The device is not protected against this type of threat and nothing is logged.
-
-|||
-|:---|:---|
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | audit (default)
block
off |
-
-#### Threat type settings merge policy
-
-Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
-
-|||
-|:---|:---|
-| **Key** | threatTypeSettingsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
-
-#### Antivirus scan history retention (in days)
-
-Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
-
-|||
-|:---|:---|
-| **Key** | scanResultsRetentionDays |
-| **Data type** | String |
-| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
-| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. |
-
-#### Maximum number of items in the antivirus scan history
-
-Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
-
-|||
-|:---|:---|
-| **Key** | scanHistoryMaximumItems |
-| **Data type** | String |
-| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
-| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. |
-
-### Cloud-delivered protection preferences
-
-The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
-
-|||
-|:---|:---|
-| **Key** | cloudService |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable cloud delivered protection
-
-Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
-
-|||
-|:---|:---|
-| **Key** | enabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Diagnostic collection level
-
-Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
-
-|||
-|:---|:---|
-| **Key** | diagnosticLevel |
-| **Data type** | String |
-| **Possible values** | optional (default)
required |
-
-#### Enable / disable automatic sample submissions
-
-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. There are three levels for controlling sample submission:
-
-- **None**: no suspicious samples are submitted to Microsoft.
-- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
-- **All**: all suspicious samples are submitted to Microsoft.
-
-|||
-|:---|:---|
-| **Key** | automaticSampleSubmissionConsent |
-| **Data type** | String |
-| **Possible values** | none
safe (default)
all |
-
-#### Enable / disable automatic security intelligence updates
-
-Determines whether security intelligence updates are installed automatically:
-
-|||
-|:---|:---|
-| **Key** | automaticDefinitionUpdateEnabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-## Recommended configuration profile
-
-To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides.
-
-The following configuration profile will:
-
-- Enable real-time protection (RTP)
-- Specify how the following threat types are handled:
- - **Potentially unwanted applications (PUA)** are blocked
- - **Archive bombs** (file with a high compression rate) are audited to the product logs
-- Enable automatic security intelligence updates
-- Enable cloud-delivered protection
-- Enable automatic sample submission at `safe` level
-
-### Sample profile
-
-```JSON
-{
- "antivirusEngine":{
- "enableRealTimeProtection":true,
- "threatTypeSettings":[
- {
- "key":"potentially_unwanted_application",
- "value":"block"
- },
- {
- "key":"archive_bomb",
- "value":"audit"
- }
- ]
- },
- "cloudService":{
- "automaticDefinitionUpdateEnabled":true,
- "automaticSampleSubmissionConsent":"safe",
- "enabled":true
- }
-}
-```
-
-## Full configuration profile example
-
-The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
-
-### Full profile
-
-```JSON
-{
- "antivirusEngine":{
- "enableRealTimeProtection":true,
- "passiveMode":false,
- "exclusionsMergePolicy":"merge",
- "exclusions":[
- {
- "$type":"excludedPath",
- "isDirectory":false,
- "path":"/var/log/system.log"
- },
- {
- "$type":"excludedPath",
- "isDirectory":true,
- "path":"/home"
- },
- {
- "$type":"excludedFileExtension",
- "extension":"pdf"
- },
- {
- "$type":"excludedFileName",
- "name":"cat"
- }
- ],
- "allowedThreats":[
- "EICAR-Test-File (not a virus)"
- ],
- "disallowedThreatActions":[
- "allow",
- "restore"
- ],
- "threatTypeSettingsMergePolicy":"merge",
- "threatTypeSettings":[
- {
- "key":"potentially_unwanted_application",
- "value":"block"
- },
- {
- "key":"archive_bomb",
- "value":"audit"
- }
- ]
- },
- "cloudService":{
- "enabled":true,
- "diagnosticLevel":"optional",
- "automaticSampleSubmissionConsent":"safe",
- "automaticDefinitionUpdateEnabled":true
- }
-}
-```
-
-## Configuration profile validation
-
-The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
-
-```bash
-python -m json.tool mdatp_managed.json
-```
-
-If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
-
-## Configuration profile deployment
-
-Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
deleted file mode 100644
index f389dd572e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
+++ /dev/null
@@ -1,304 +0,0 @@
----
-title: Privacy for Microsoft Defender ATP for Linux
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, privacy, diagnostic
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Privacy for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](microsoft-defender-atp-linux.md)
-
-Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Defender for Endpoint for Linux.
-
-This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
-
-## Overview of privacy controls in Microsoft Defender for Endpoint for Linux
-
-This section describes the privacy controls for the different types of data collected by Defender for Endpoint for Linux.
-
-### Diagnostic data
-
-Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
-
-Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
-
-There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:
-
-* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it’s installed on.
-
-* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
-
-By default, only required diagnostic data is sent to Microsoft.
-
-### Cloud delivered protection data
-
-Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
-
-Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
-
-### Sample data
-
-Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
-
-There are three levels for controlling sample submission:
-
-- **None**: no suspicious samples are submitted to Microsoft.
-- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
-- **All**: all suspicious samples are submitted to Microsoft.
-
-## Manage privacy controls with policy settings
-
-If you're an IT administrator, you might want to configure these controls at the enterprise level.
-
-The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
-
-As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
-
-## Diagnostic data events
-
-This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
-
-### Data fields that are common for all events
-There is some information about events that is common to all events, regardless of category or data subtype.
-
-The following fields are considered common for all events:
-
-| Field | Description |
-| ----------------------- | ----------- |
-| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
-| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
-| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
-| app_version | Version of the Defender for Endpoint for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
-| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
-| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
-| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
-
-### Required diagnostic data
-
-**Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on.
-
-Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
-
-#### Software setup and inventory data events
-
-**Microsoft Defender for Endpoint installation / uninstallation**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| correlation_id | Unique identifier associated with the installation. |
-| version | Version of the package. |
-| severity | Severity of the message (for example Informational). |
-| code | Code that describes the operation. |
-| text | Additional information associated with the product installation. |
-
-**Microsoft Defender for Endpoint configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| --------------------------------------------------- | ----------- |
-| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
-| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
-| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
-| cloud_service.timeout | Time out when the application communicates with the Defender for Endpoint cloud. |
-| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
-| cloud_service.service_uri | URI used to communicate with the cloud. |
-| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
-| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
-| edr.early_preview | Whether the device should run EDR early preview features. |
-| edr.group_id | Group identifier used by the detection and response component. |
-| edr.tags | User-defined tags. |
-| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
-
-#### Product and service usage data events
-
-**Security intelligence update report**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| from_version | Original security intelligence version. |
-| to_version | New security intelligence version. |
-| status | Status of the update indicating success or failure. |
-| using_proxy | Whether the update was done over a proxy. |
-| error | Error code if the update failed. |
-| reason | Error message if the update failed. |
-
-#### Product and service performance data events
-
-**Kernel extension statistics**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| version | Version of Defender for Endpoint for Linux. |
-| instance_id | Unique identifier generated on kernel extension startup. |
-| trace_level | Trace level of the kernel extension. |
-| subsystem | The underlying subsystem used for real-time protection. |
-| ipc.connects | Number of connection requests received by the kernel extension. |
-| ipc.rejects | Number of connection requests rejected by the kernel extension. |
-| ipc.connected | Whether there is any active connection to the kernel extension. |
-
-#### Support data
-
-**Diagnostic logs**
-
-Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
-
-- All files under */var/log/microsoft/mdatp*
-- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Defender for Endpoint for Linux
-- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log*
-
-### Optional diagnostic data
-
-**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
-
-If you choose to send us optional diagnostic data, required diagnostic data is also included.
-
-Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
-
-#### Software setup and inventory data events
-
-**Microsoft Defender for Endpoint configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| -------------------------------------------------- | ----------- |
-| connection_retry_timeout | Connection retry time-out when communication with the cloud. |
-| file_hash_cache_maximum | Size of the product cache. |
-| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
-| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
-| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
-| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
-| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
-| antivirus_engine.scan_cache_maximum | Size of the product cache. |
-| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
-| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
-| filesystem_scanner.full_scan_directory | Full scan directory. |
-| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
-| edr.latency_mode | Latency mode used by the detection and response component. |
-| edr.proxy_address | Proxy address used by the detection and response component. |
-
-**Microsoft Auto-Update configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| --------------------------- | ----------- |
-| how_to_check | Determines how product updates are checked (for example automatic or manual). |
-| channel_name | Update channel associated with the device. |
-| manifest_server | Server used for downloading updates. |
-| update_cache | Location of the cache used to store updates. |
-
-### Product and service usage
-
-#### Diagnostic log upload started report
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| sha256 | SHA256 identifier of the support log. |
-| size | Size of the support log. |
-| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). |
-| format | Format of the support log. |
-
-#### Diagnostic log upload completed report
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| request_id | Correlation ID for the support log upload request. |
-| sha256 | SHA256 identifier of the support log. |
-| blob_sas_uri | URI used by the application to upload the support log. |
-
-#### Product and service performance data events
-
-**Unexpected application exit (crash)**
-
-Unexpected application exits and the state of the application when that happens.
-
-**Kernel extension statistics**
-
-The following fields are collected:
-
-| Field | Description |
-| ------------------------------ | ----------- |
-| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
-| pkt_ack_conn_timeout | |
-| ipc.ack_pkts | |
-| ipc.nack_pkts | |
-| ipc.send.ack_no_conn | |
-| ipc.send.nack_no_conn | |
-| ipc.send.ack_no_qsq | |
-| ipc.send.nack_no_qsq | |
-| ipc.ack.no_space | |
-| ipc.ack.timeout | |
-| ipc.ack.ackd_fast | |
-| ipc.ack.ackd | |
-| ipc.recv.bad_pkt_len | |
-| ipc.recv.bad_reply_len | |
-| ipc.recv.no_waiter | |
-| ipc.recv.copy_failed | |
-| ipc.kauth.vnode.mask | |
-| ipc.kauth.vnode.read | |
-| ipc.kauth.vnode.write | |
-| ipc.kauth.vnode.exec | |
-| ipc.kauth.vnode.del | |
-| ipc.kauth.vnode.read_attr | |
-| ipc.kauth.vnode.write_attr | |
-| ipc.kauth.vnode.read_ex_attr | |
-| ipc.kauth.vnode.write_ex_attr | |
-| ipc.kauth.vnode.read_sec | |
-| ipc.kauth.vnode.write_sec | |
-| ipc.kauth.vnode.take_own | |
-| ipc.kauth.vnode.link | |
-| ipc.kauth.vnode.create | |
-| ipc.kauth.vnode.move | |
-| ipc.kauth.vnode.mount | |
-| ipc.kauth.vnode.denied | |
-| ipc.kauth.vnode.ackd_before_deadline | |
-| ipc.kauth.vnode.missed_deadline | |
-| ipc.kauth.file_op.mask | |
-| ipc.kauth_file_op.open | |
-| ipc.kauth.file_op.close | |
-| ipc.kauth.file_op.close_modified | |
-| ipc.kauth.file_op.move | |
-| ipc.kauth.file_op.link | |
-| ipc.kauth.file_op.exec | |
-| ipc.kauth.file_op.remove | |
-| ipc.kauth.file_op.unmount | |
-| ipc.kauth.file_op.fork | |
-| ipc.kauth.file_op.create | |
-
-## Resources
-
-- [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
deleted file mode 100644
index 7062258108..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
-description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, pua, pus
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-The potentially unwanted application (PUA) protection feature in Defender for Endpoint for Linux can detect and block PUA files on endpoints in your network.
-
-These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
-
-These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
-
-## How it works
-
-Defender for Endpoint for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
-
-When a PUA is detected on an endpoint, Defender for Endpoint for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
-
-## Configure PUA protection
-
-PUA protection in Defender for Endpoint for Linux can be configured in one of the following ways:
-
-- **Off**: PUA protection is disabled.
-- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
-- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product.
-
->[!WARNING]
->By default, PUA protection is configured in **Audit** mode.
-
-You can configure how PUA files are handled from the command line or from the management console.
-
-### Use the command-line tool to configure PUA protection:
-
-In Terminal, execute the following command to configure PUA protection:
-
-```bash
-mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
-```
-
-### Use the management console to configure PUA protection:
-
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint for Linux](linux-preferences.md) article.
-
-## Related articles
-
-- [Set preferences for Defender for Endpoint for Linux](linux-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
deleted file mode 100644
index 19ac941547..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-title: Microsoft Defender ATP for Linux resources
-ms.reviewer:
-description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Resources
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-## Collect diagnostic information
-
-If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
-
-1. Increase logging level:
-
- ```bash
- mdatp log level set --level debug
- ```
-
- ```Output
- Log level configured successfully
- ```
-
-2. Reproduce the problem.
-
-3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive.
-
- ```bash
- sudo mdatp diagnostic create
- ```
-
- This command will also print out the file path to the backup after the operation succeeds:
-
- ```Output
- Diagnostic file created:
`mdatp exclusion process [add\|remove] --name [process-name]` |
-|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
-|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
-|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
-|Configuration |List all allowed threat names |`mdatp threat allowed list` |
-|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
-|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
-|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
-|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` |
-|Health |Check the product's health |`mdatp health` |
-|Protection |Scan a path |`mdatp scan custom --path [path] [--ignore-exclusions]` |
-|Protection |Do a quick scan |`mdatp scan quick` |
-|Protection |Do a full scan |`mdatp scan full` |
-|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
-|Protection |Request a security intelligence update |`mdatp definitions update` |
-|Protection history |Print the full protection history |`mdatp threat list` |
-|Protection history |Get threat details |`mdatp threat get --id [threat-id]` |
-|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
-|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
-|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
-|Endpoint Detection and Response |Set early preview (unused) |`mdatp edr early-preview [enable|disable]` |
-|Endpoint Detection and Response |Set group-id |`mdatp edr group-ids --group-id [group-id]` |
-|Endpoint Detection and Response |Set/Remove tag, only `GROUP` supported |`mdatp edr tag set --name GROUP --value [tag]` |
-|Endpoint Detection and Response |list exclusions (root) |`mdatp edr exclusion list [processes|paths|extensions|all]` |
-
-## Microsoft Defender for Endpoint portal information
-
-In the Defender for Endpoint portal, you'll see two categories of information:
-
-- Antivirus alerts, including:
- - Severity
- - Scan type
- - Device information (hostname, device identifier, tenant identifier, app version, and OS type)
- - File information (name, path, size, and hash)
- - Threat information (name, type, and state)
-- Device information, including:
- - Device identifier
- - Tenant identifier
- - App version
- - Hostname
- - OS type
- - OS version
- - Computer model
- - Processor architecture
- - Whether the device is a virtual machine
-
-### Known issues
-
-- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue.
-- Logged on users do not appear in the Microsoft Defender Security Center portal.
-- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
-
- ```bash
- sudo SUSEConnect --status-text
- ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md
deleted file mode 100644
index f8853d02af..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-title: How to schedule scans with Microsoft Defender for Endpoint (Linux)
-description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets.
-keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Schedule scans with Microsoft Defender for Endpoint (Linux)
-
-To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands).
-
-Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
-
-## Pre-requisite
-
-> [!NOTE]
-> To get a list of all the time zones, run the following command:
-> `timedatectl list-timezones`
-> Examples for timezones:
-> - `America/Los_Angeles`
-> - `America/New_York`
-> - `America/Chicago`
-> - `America/Denver`
-
-## To set the Cron job
-Use the following commands:
-
-**To backup crontab entries**
-
-`sudo crontab -l > /var/tmp/cron_backup_200919.dat`
-
-> [!NOTE]
-> Where 200919 == YRMMDD
-
-> [!TIP]
-> Do this before you edit or remove.
-
-To edit the crontab, and add a new job as a root user:
-`sudo crontab -e`
-
-> [!NOTE]
-> The default editor is VIM.
-
-You might see:
-
-0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
-
-Press “Insert”
-
-Add the following entries:
-
-CRON_TZ=America/Los_Angeles
-
-0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
-
-> [!NOTE]
->In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8).
-
-Press “Esc”
-
-Type “:wq” without the double quotes.
-
-> [!NOTE]
-> w == write, q == quit
-
-To view your cron jobs, type `sudo crontab -l`
-
-:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp":::
-
-**To inspect cron job runs**
-
-`sudo grep mdatp /var/log/cron`
-
-**To inspect the mdatp_cron_job.log**
-
-`sudo nano mdatp_cron_job.log`
-
-## For those who use Ansible, Chef, or Puppet
-
-Use the following commands:
-### To set cron jobs in Ansible
-
-`cron – Manage cron.d and crontab entries`
-
-See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.
-
-### To set crontabs in Chef
-`cron resource`
-
-See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information.
-
-### To set cron jobs in Puppet
-Resource Type: cron
-
-See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information.
-
-Automating with Puppet: Cron jobs and scheduled tasks
-
-See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.
-
-## Additional information
-
-**To get help with crontab**
-
-`man crontab`
-
-**To get a list of crontab file of the current user**
-
-`crontab -l`
-
-**To get a list of crontab file of another user**
-
-`crontab -u username -l`
-
-**To backup crontab entries**
-
-`crontab -l > /var/tmp/cron_backup.dat`
-
-> [!TIP]
-> Do this before you edit or remove.
-
-**To restore crontab entries**
-
-`crontab /var/tmp/cron_backup.dat`
-
-**To edit the crontab and add a new job as a root user**
-
-`sudo crontab -e`
-
-**To edit the crontab and add a new job**
-
-`crontab -e`
-
-**To edit other user’s crontab entries**
-
-`crontab -u username -e`
-
-**To remove all crontab entries**
-
-`crontab -r`
-
-**To remove other user’s crontab entries**
-
-`crontab -u username -r`
-
-**Explanation**
-
-+—————- minute (values: 0 – 59) (special characters: , – * /)
-| +————- hour (values: 0 – 23) (special characters: , – * /)
-| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
-| | | +——- month (values: 1 – 12) (special characters: ,- * / )
-| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
-| | | | |*****command to be executed
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
deleted file mode 100644
index 7aa2cb9dbe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Microsoft Defender ATP for Linux static proxy discovery
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
-keywords: microsoft, defender, atp, linux, installation, proxy
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure Microsoft Defender for Endpoint for Linux for static proxy discovery
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
-
-## Installation time configuration
-
-During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways:
-
-- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/"
- ```
-
-- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
-
- ```bash
- Acquire::https::Proxy "http://proxy.server:port/";
- ```
-
- > [!CAUTION]
- > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
-
-- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender for Endpoint:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
- ```
-
- > [!NOTE]
- > Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
-
-The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
-
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
-
-## Post installation configuration
-
-After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
-
-- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
-
-- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/"
- ```
-
-After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
-
-```bash
-systemctl daemon-reload; systemctl restart mdatp
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
deleted file mode 100644
index 2567347f46..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
-keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-## Run the connectivity test
-
-To test if Defender for Endpoint for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
-
-```bash
-mdatp connectivity test
-```
-
-expected output:
-
-```output
-Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
-Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
-Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
-Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
-Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
-Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
-Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
-Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
-Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
-Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
-Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK]
-Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK]
-Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK]
-Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
-```
-
-If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
-
-Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list.
-
-## Troubleshooting steps for environments without proxy or with transparent proxy
-
-To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
-
-```bash
-curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to:
-
-```Output
-OK https://x.cp.wd.microsoft.com/api/report
-OK https://cdn.x.cp.wd.microsoft.com/ping
-```
-
-## Troubleshooting steps for environments with static proxy
-
-> [!WARNING]
-> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
-
-```bash
-curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
-
-> [!WARNING]
-> The static proxy cannot be configured through a system-wide `HTTPS_PROXY` environment variable. Instead, ensure that `HTTPS_PROXY` is properly set in the `/lib/system/system/mdatp.service` file.
-
-To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
-
-```bash
-#Environment="HTTPS_PROXY=http://address:port"
-```
-
-Also ensure that the correct static proxy address is filled in to replace `address:port`.
-
-If this file is correct, try running the following command in the terminal to reload Defender for Endpoint for Linux and propagate the setting:
-
-```bash
-sudo systemctl daemon-reload; sudo systemctl restart mdatp
-```
-
-Upon success, attempt another connectivity test from the command line:
-
-```bash
-mdatp connectivity test
-```
-
-If the problem persists, contact customer support.
-
-## Resources
-
-- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md
deleted file mode 100644
index 3d8a64c5c6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux
-description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, events
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-mms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal.
-
-Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages.
-In case events are not appearing or some types of events are missing, that could indicate some problem.
-
-## Missing network and login events
-
-Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity.
-
-1. Make sure audit framework is working.
-
- ```bash
- service auditd status
- ```
-
- expected output:
-
- ```output
- ● auditd.service - Security Auditing Service
- Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
- Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
- Docs: man:auditd(8)
- https://github.com/linux-audit/audit-documentation
- Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
- Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
- Main PID: 16666 (auditd)
- Tasks: 25
- CGroup: /system.slice/auditd.service
- ├─16666 /sbin/auditd
- ├─16668 /sbin/audispd
- ├─16670 /usr/sbin/sedispatch
- └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
- ```
-
-2. If auditd is stopped, please start it.
-
- ```bash
- service auditd start
- ```
-
-**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events.
-
-1. To validate that SYSCALL auditing is not disabeld, list the current audit rules:
-
- ```bash
- sudo auditctl -l
- ```
-
- if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.
-
- ```output
- -a task, never
- ```
-
- audit rules are located at `/etc/audit/rules.d/audit.rules`.
-
-## Missing file events
-
-File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements).
-
-List the filesystems on the machine with:
-
-```bash
-df -Th
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
deleted file mode 100644
index f9e2cf4acd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
-keywords: microsoft, defender, atp, linux, installation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-## Verify if installation succeeded
-
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
-
- ```bash
- sudo journalctl | grep 'microsoft-mdatp' > installation.log
-```
-
-```bash
- grep 'postinstall end' installation.log
-```
-
-```Output
- microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
- ```
-
-An output from the previous command with correct date and time of installation indicates success.
-
-Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
-
-## Make sure you have the correct package
-
-Please mind that the package you are installing is matching the host distribution and version.
-
-| package | distribution |
-|-------------------------------|------------------------------------------|
-| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x |
-| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x |
-| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x |
-| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x |
-| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 |
-
-For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen.
-
-## Installation failed
-
-Check if the mdatp service is running:
-
-```bash
-systemctl status mdatp
-```
-
-```Output
- ● mdatp.service - Microsoft Defender for Endpoint
- Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
- Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
- Main PID: 1966 (wdavdaemon)
- Tasks: 105 (limit: 4915)
- CGroup: /system.slice/mdatp.service
- ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
- ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
- └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
- ```
-
-## Steps to troubleshoot if mdatp service isn't running
-
-1. Check if "mdatp" user exists:
-
- ```bash
- id "mdatp"
- ```
-
- If there’s no output, run
-
- ```bash
- sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
- ```
-
-2. Try enabling and restarting the service using:
-
- ```bash
- sudo systemctl enable mdatp
- ```
-
- ```bash
- sudo systemctl restart mdatp
- ```
-
-3. If mdatp.service isn't found upon running the previous command, run:
-
- ```bash
- sudo cp /opt/microsoft/mdatp/conf/mdatp.service
-> Examples for timezones:
-> - `America/Los_Angeles`
-> - `America/New_York`
-> - `America/Chicago`
-> - `America/Denver`
-
-## To set the Cron job
-Use the following commands:
-
-**To backup crontab entries**
-
-`sudo crontab -l > /var/tmp/cron_backup_201118.dat`
-
-> [!NOTE]
-> Where 201118 == YYMMDD
-
-> [!TIP]
-> Do this before you edit or remove.
-
-To edit the crontab, and add a new job as a root user:
-`sudo crontab -e`
-
-> [!NOTE]
-> The default editor is VIM.
-
-You might see:
-
-0****/etc/opt/microsoft/mdatp/logrorate.sh
-
-And
-
-02**sat /bin/mdatp scan quick>~/mdatp_cron_job.log
-
-See [Schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-atp.md)
-
-Press “Insert”
-
-Add the following entries:
-
-CRON_TZ=America/Los_Angeles
-
-> #!RHEL and variants (CentOS and Oracle Linux)
-
-`06**sun[$(date +\%d) -le 15] sudo yum update mdatp>>~/mdatp_cron_job.log`
-
-> #!SLES and variants
-
-`06**sun[$(date +\%d) -le 15] sudo zypper update mdatp>>~/mdatp_cron_job.log`
-
-> #!Ubuntu and Debian systems
-
-`06**sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log`
-
-> [!NOTE]
-> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == Won’t run unless it’s equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
-
-Press “Esc”
-
-Type “:wq” w/o the double quotes.
-
-> [!NOTE]
-> w == write, q == quit
-
-To view your cron jobs, type `sudo crontab -l`
-
-:::image type="content" source="images/update-MDE-linux-4634577.jpg" alt-text="update MDE linux":::
-
-To inspect cron job runs:
-`sudo grep mdatp /var/log/cron`
-
-To inspect the mdatp_cron_job.log
-`sudo nano mdatp_cron_job.log`
-
-## For those who use Ansible, Chef, or Puppet
-
-Use the following commands:
-### To set cron jobs in Ansible
-
-`cron – Manage cron.d and crontab entries`
-
-See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.
-
-### To set crontabs in Chef
-`cron resource`
-
-See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information.
-
-### To set cron jobs in Puppet
-Resource Type: cron
-
-See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information.
-
-Automating with Puppet: Cron jobs and scheduled tasks
-
-See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.
-
-## Additional information
-
-**To get help with crontab**
-
-`man crontab`
-
-**To get a list of crontab file of the current user**
-
-`crontab -l`
-
-**To get a list of crontab file of another user**
-
-`crontab -u username -l`
-
-**To backup crontab entries**
-
-`crontab -l > /var/tmp/cron_backup.dat`
-
-> [!TIP]
-> Do this before you edit or remove.
-
-**To restore crontab entries**
-
-`crontab /var/tmp/cron_backup.dat`
-
-**To edit the crontab and add a new job as a root user**
-
-`sudo crontab -e`
-
-**To edit the crontab and add a new job**
-
-`crontab -e`
-
-**To edit other user’s crontab entries**
-
-`crontab -u username -e`
-
-**To remove all crontab entries**
-
-`crontab -r`
-
-**To remove other user’s crontab entries**
-
-`crontab -u username -r`
-
-**Explanation**
-
-
-+—————- minute (values: 0 – 59) (special characters: , – * /)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
deleted file mode 100644
index 336214e71b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Deploy updates for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments.
-keywords: microsoft, defender, atp, linux, updates, deploy
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploy updates for Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
-
-Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
-
-> [!WARNING]
-> Each version of Defender for Endpoint for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
-> ```bash
-> mdatp health --field product_expiration
-> ```
-
-To update Defender for Endpoint for Linux manually, execute one of the following commands:
-
-## RHEL and variants (CentOS and Oracle Linux)
-
-```bash
-sudo yum update mdatp
-```
-
-## SLES and variants
-
-```bash
-sudo zypper update mdatp
-```
-
-## Ubuntu and Debian systems
-
-```bash
-sudo apt-get install --only-upgrade mdatp
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
deleted file mode 100644
index fecdb626d7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: What's new in Microsoft Defender Advanced Threat Protection for Linux
-description: List of major changes for Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, whatsnew, release
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: security
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# What's new in Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-## 101.18.53
-
-- EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539)
-- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`)
-- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory
-- Performance improvements & bug fixes
-
-## 101.12.99
-
-- Performance improvements & bug fixes
-
-## 101.04.76
-
-- Bug fixes
-
-## 101.03.48
-
-- Bug fixes
-
-## 101.02.55
-
-- Fixed an issue where the product sometimes does not start following a reboot / upgrade
-- Fixed an issue where proxy settings are not persisted across product upgrades
-
-## 101.00.75
-
-- Added support for the following file system types: `ecryptfs`, `fuse`, `fuseblk`, `jfs`, `nfs`, `overlay`, `ramfs`, `reiserfs`, `udf`, and `vfat`
-- New syntax for the [command-line tool](linux-resources.md#configure-from-the-command-line).
-- Performance improvements & bug fixes
-
-## 100.90.70
-
-> [!WARNING]
-> When upgrading the installed package from a product version earlier than 100.90.70, the update may fail on Red Hat-based and SLES distributions. This is because of a major change in a file path. A temporary solution is to remove the older package, and then install the newer one. This issue does not exist in newer versions.
-
-- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
-- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
-- Improvements to make the package installation more robust
-- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
deleted file mode 100644
index 2da23f201a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ /dev/null
@@ -1,229 +0,0 @@
----
-title: Live response command examples
-description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used.
-keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Live response command examples
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
-
-Learn about common commands used in live response and see examples on how they are typically used.
-
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on devices using live response](live-response.md).
-
-
-## analyze
-
-```
-# Analyze the file malware.txt
-analyze file c:\Users\user\Desktop\malware.txt
-```
-
-```
-# Analyze the process by PID
-analyze process 1234
-```
-
-## connections
-
-```
-# List active connections in json format using parameter name
-connections -output json
-```
-
-```
-# List active connections in json format without parameter name
-connections json
-```
-
-## dir
-
-```
-# List files and sub-folders in the current folder
-dir
-```
-
-```
-# List files and sub-folders in a specific folder
-dir C:\Users\user\Desktop\
-```
-
-```
-# List files and subfolders in the current folder in json format
-dir -output json
-```
-
-## fileinfo
-
-```
-# Display information about a file
-fileinfo C:\Windows\notepad.exe
-```
-
-## findfile
-
-```
-# Find file by name
-findfile test.txt
-```
-
-## getfile
-
-```
-# Download a file from a machine
-getfile c:\Users\user\Desktop\work.txt
-```
-
-```
-# Download a file from a machine, automatically run prerequisite commands
-getfile c:\Users\user\Desktop\work.txt -auto
-```
-
->[!NOTE]
->
-> The following file types **cannot** be downloaded using this command from within Live Response:
->
-> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
-> * [Sparse files](/windows/desktop/fileio/sparse-files/)
-> * Empty files
-> * Virtual files, or files that are not fully present locally
->
-> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/).
->
-> Use PowerShell as an alternative, if you have problems using this command from within Live Response.
-
-## processes
-```
-# Show all processes
-processes
-```
-
-```
-# Get process by pid
-processes 123
-```
-
-```
-# Get process by pid with argument name
-processes -pid 123
-```
-
-```
-# Get process by name
-processes -name notepad.exe
-```
-
-## putfile
-
-```
-# Upload file from library
-putfile get-process-by-name.ps1
-```
-
-```
-# Upload file from library, overwrite file if it exists
-putfile get-process-by-name.ps1 -overwrite
-```
-
-```
-# Upload file from library, keep it on the machine after a restart
-putfile get-process-by-name.ps1 -keep
-```
-
-## registry
-
-```
-# Show information about the values in a registry key
-registry HKEY_CURRENT_USER\Console
-```
-
-```
-# Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
-```
-
-
-## remediate
-
-```
-# Remediate file in specific path
-remediate file c:\Users\user\Desktop\malware.exe
-```
-
-```
-# Remediate process with specific PID
-remediate process 7960
-```
-
-```
-# See list of all remediated entities
-remediate list
-```
-
-## run
-
-```
-# Run PowerShell script from the library without arguments
-run script.ps1
-```
-
-```
-# Run PowerShell script from the library with arguments
-run get-process-by-name.ps1 -parameters "-processName Registry"
-```
-
-## scheduledtask
-
-```
-# Get all scheduled tasks
-scheduledtasks
-```
-
-```
-# Get specific scheduled task by location and name
-scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Get specific scheduled task by location and name with spacing
-scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
-```
-
-
-## undo
-
-```
-# Restore remediated registry
-undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
-```
-
-```
-# Restore remediated scheduledtask
-undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Restore remediated file
-undo file c:\Users\user\Desktop\malware.exe
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
deleted file mode 100644
index e534ccd9f6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ /dev/null
@@ -1,311 +0,0 @@
----
-title: Investigate entities on devices using live response in Microsoft Defender ATP
-description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time.
-keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Investigate entities on devices using live response
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.
-
-Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-| +————- hour (values: 0 – 23) (special characters: , – * /)
-| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
-| | | +——- month (values: 1 – 12) (special characters: ,- * / )
-| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
-| | | | |*****command to be executed
-
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
-
-With live response, analysts can do all of the following tasks:
-- Run basic and advanced commands to do investigative work on a device.
-- Download files such as malware samples and outcomes of PowerShell scripts.
-- Download files in the background (new!).
-- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
-- Take or undo remediation actions.
-
-## Before you begin
-
-Before you can initiate a session on a device, make sure you fulfill the following requirements:
-
-- **Verify that you're running a supported version of Windows**.
-Devices must be running one of the following versions of Windows
-
- - **Windows 10**
- - [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- - [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)
- - [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- - [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- - [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
-
- - **Windows Server 2019 - Only applicable for Public preview**
- - Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later
- - Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818))
-
-- **Enable live response from the advanced settings page**.
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
-
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Enable live response for servers from the advanced settings page** (recommended).
-
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Ensure that the device has an Automation Remediation level assigned to it**.
-You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
-
- You'll receive the following error:
-
- 
-
-- **Enable live response unsigned script execution** (optional).
-
- >[!WARNING]
- >Allowing the use of unsigned scripts may increase your exposure to threats.
-
- Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
-- **Ensure that you have the appropriate permissions**.
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
- > [!IMPORTANT]
- > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
-
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
-
-## Live response dashboard overview
-When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
-
-- Who created the session
-- When the session started
-- The duration of the session
-
-The dashboard also gives you access to:
-- Disconnect session
-- Upload files to the library
-- Command console
-- Command log
-
-
-## Initiate a live response session on a device
-
-1. Sign in to Microsoft Defender Security Center.
-
-2. Navigate to the devices list page and select a device to investigate. The devices page opens.
-
-3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
-
-4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
-
-5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
-
-## Live response commands
-
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
-
->[!NOTE]
->Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
-
-### Basic commands
-
-The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
-| Command | Description |
-|---|---|--- |
-|`cd` | Changes the current directory. |
-|`cls` | Clears the console screen. |
-|`connect` | Initiates a live response session to the device. |
-|`connections` | Shows all the active connections. |
-|`dir` | Shows a list of files and subdirectories in a directory. |
-|`download
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
-| `run` | Runs a PowerShell script from the library on the device. |
-| `library` | Lists files that were uploaded to the live response library. |
-| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
-| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
-|`undo` | Restores an entity that was remediated. |
-
-
-## Use live response commands
-
-The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
-
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
-
-### Get a file from the device
-
-For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
-
->[!NOTE]
->The following file size limits apply:
->- `getfile` limit: 3 GB
->- `fileinfo` limit: 10 GB
->- `library` limit: 250 MB
-
-### Download a file in the background
-
-To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
-
-- To download a file in the background, in the live response command console, type `download
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
-
-File, folder, and process exclusions support the following wildcards:
-
-Wildcard | Description | Example | Matches | Does not match
----|---|---|---|---
-\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
-? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log`
-
->[!NOTE]
->The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
-
-## How to configure the list of exclusions
-
-### From the management console
-
-For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Defender for Endpoint for Mac](mac-preferences.md).
-
-### From the user interface
-
-Open the Defender for Endpoint application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
-
-
-
-Select the type of exclusion that you wish to add and follow the prompts.
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using `curl` to download a test file.
-
-In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
-
-```bash
-curl -o test.txt https://www.eicar.org/download/eicar.com.txt
-```
-
-If Defender for Endpoint for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
-
-If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
-
-```bash
-echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
-```
-
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-
-## Allow threats
-
-In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
-
-To add a threat name to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name [threat-name]
-```
-
-The threat name associated with a detection on your device can be obtained using the following command:
-
-```bash
-mdatp threat list
-```
-
-For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
deleted file mode 100644
index bc0711a28e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Log in to Jamf Pro
-description: Log in to Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Log in to Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-1. Enter your credentials.
-
- 
-
-2. Select **Computers**.
-
- 
-
-3. You will see the settings that are available.
-
- 
-
-
-## Next step
-[Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
deleted file mode 100644
index 375f715a8e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Manual deployment for Microsoft Defender ATP for macOS
-description: Install Microsoft Defender ATP for macOS manually, from the command line.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Manual deployment for Microsoft Defender for Endpoint for macOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for macOS](microsoft-defender-atp-mac.md)
-
-This topic describes how to deploy Microsoft Defender for Endpoint for macOS manually. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
-- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
-- [Client configuration](#client-configuration)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender for Endpoint for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
-3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
-4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
-
- 
-
-5. From a command prompt, verify that you have the two files.
-
-## Application installation (macOS 10.15 and older versions)
-
-To complete this process, you must have admin privileges on the device.
-
-1. Navigate to the downloaded wdav.pkg in Finder and open it.
-
- 
-
-2. Select **Continue**, agree with the License terms, and enter the password when prompted.
-
- 
-
- > [!IMPORTANT]
- > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
-
- 
-
-3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
-
- 
-
- The installation proceeds.
-
- > [!CAUTION]
- > If you don't select **Allow**, the installation will proceed after 5 minutes. Microsoft Defender for Endpoint will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this.
-
-> [!NOTE]
-> macOS may request to reboot the device upon the first installation of Microsoft Defender for Endpoint. Real-time protection will not be available until the device is rebooted.
-
-## Application installation (macOS 11 and newer versions)
-
-To complete this process, you must have admin privileges on the device.
-
-1. Navigate to the downloaded wdav.pkg in Finder and open it.
-
- 
-
-2. Select **Continue**, agree with the License terms, and enter the password when prompted.
-
-3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
-
- 
-
-4. From the **Security & Privacy** window, select **Allow**.
-
- 
-
-5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint for Mac.
-
-6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
-
- 
-
-7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
-
- 
-
-## Client configuration
-
-1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint for macOS.
-
- The client device is not associated with orgId. Note that the *orgId* attribute is blank.
-
- ```bash
- mdatp health --field org_id
- ```
-
-2. Run the Python script to install the configuration file:
-
- ```bash
- /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py
- ```
-
-3. Verify that the device is now associated with your organization and reports a valid *orgId*:
-
- ```bash
- mdatp health --field org_id
- ```
-
-After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
-
- 
-
-
-## How to Allow Full Disk Access
-
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.
-
-To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender for Endpoint.
-
-## Logging installation issues
-
-See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Uninstallation
-
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint for macOS from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
deleted file mode 100644
index e0cb7de973..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ /dev/null
@@ -1,281 +0,0 @@
----
-title: Intune-based deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender for Endpoint for Mac, using Microsoft Intune.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Intune-based deployment for Microsoft Defender for Endpoint for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> [!NOTE]
-> This documentation explains the legacy method for deploying and configuring Microsoft Defender for Endpoint on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
->The blog post [MEM simplifies deployment of Microsoft Defender for Endpoint for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender for Endpoint for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-This topic describes how to deploy Microsoft Defender for Endpoint for Mac through Intune. A successful deployment requires the completion of all of the following steps:
-
-1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-1. [Client device setup](#client-device-setup)
-1. [Approve system extensions](#approve-system-extensions)
-1. [Create System Configuration profiles](#create-system-configuration-profiles)
-1. [Publish application](#publish-application)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Overview
-
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint for Macs, via Intune. More detailed steps are available below.
-
-| Step | Sample file names | BundleIdentifier |
-|-|-|-|
-| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Approve System Extension for Microsoft Defender for Endpoint](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
-| [Approve Kernel Extension for Microsoft Defender for Endpoint](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
-| [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
-| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
-| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
-
-2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
-
- 
-
-3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
-
-4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-
-5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
-
-6. From a command prompt, verify that you have the three files.
-
-
- ```bash
- ls -l
- ```
-
- ```Output
- total 721688
- -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
- -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
- -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- ```
-7. Extract the contents of the .zip files:
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
- inflating: intune/kext.xml
- inflating: intune/WindowsDefenderATPOnboarding.xml
- inflating: jamf/WindowsDefenderATPOnboarding.plist
- ```
-
-8. Make IntuneAppUtil an executable:
-
- ```bash
- chmod +x IntuneAppUtil
- ```
-
-9. Create the wdav.pkg.intunemac package from wdav.pkg:
-
- ```bash
- ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
- ```
- ```Output
- Microsoft Intune Application Utility for Mac OS X
- Version: 1.0.0.0
- Copyright 2018 Microsoft Corporation
-
- Creating intunemac file for /Users/test/Downloads/wdav.pkg
- Composing the intunemac file output
- Output written to ./wdav.pkg.intunemac.
-
- IntuneAppUtil successfully processed "wdav.pkg",
- to deploy refer to the product documentation.
- ```
-
-## Client device setup
-
-You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-
-1. Confirm device management.
-
- 
-
- Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
-
- 
-
-2. Select **Continue** and complete the enrollment.
-
- You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
-
-3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Approve System Extensions
-
-To approve the system extensions:
-
-1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
-
-2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
-
-3. In the `Basics` tab, give a name to this new profile.
-
-4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
-
- Bundle identifier | Team identifier
- --------------------------|----------------
- com.microsoft.wdav.epsext | UBF8T346G9
- com.microsoft.wdav.netext | UBF8T346G9
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
-
-6. Review and create this configuration profile.
-
-## Create System Configuration profiles
-
-1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
-
-2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-
-3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
-
-4. Select **OK**.
-
- 
-
-5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-
-6. Repeat steps 1 through 5 for more profiles.
-
-7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-
-8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.
-
- > [!CAUTION]
- > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.
- >
- > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
-
-9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections.
-
-10. To allow Microsoft Defender for Endpoint for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload.
-
-11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-
-Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
-> [!div class="mx-imgBorder"]
-> 
-
-## Publish application
-
-1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
-
-2. Select **App type=Other/Line-of-business app**.
-
-3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
-
-4. Select **Configure** and add the required information.
-
-5. Use **macOS High Sierra 10.13** as the minimum OS.
-
-6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
-
- > [!CAUTION]
- > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated.
- >
- > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Microsoft Defender for Endpoint. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Microsoft Defender for Endpoint with *Ignore app version* set to **No**, please change it to **Yes**. If Microsoft Defender for Endpoint still cannot be installed on a client device, then uninstall Microsoft Defender for Endpoint and push the updated policy.
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Select **OK** and **Add**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. Change **Assignment type** to **Required**.
-
-10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Verify client device state
-
-1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
-
- 
- 
-
-2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- 
-
-3. You should also see the Microsoft Defender icon in the top-right corner:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Troubleshooting
-
-Issue: No license found
-
-Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml
-
-## Logging installation issues
-
-For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues).
-
-## Uninstallation
-
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint for Mac from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
deleted file mode 100644
index 45e4130495..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Deploying Microsoft Defender ATP for macOS with Jamf Pro
-description: Deploying Microsoft Defender ATP for macOS with Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-Learn how to deploy Microsoft Defender for Endpoint for macOS with Jamf Pro.
-
-> [!NOTE]
-> If you are using macOS Catalina (10.15.4) or newer versions of macOS, see [New configuration profiles for macOS Catalina and newer versions of macOS](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies).
-
-This is a multi step process. You'll need to complete all of the following steps:
-
-- [Login to the Jamf Portal](mac-install-jamfpro-login.md)
-- [Setup the Microsoft Defender for Endpoint for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md)
-- [Setup the Microsoft Defender for Endpoint for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
-- [Enroll the Microsoft Defender for Endpoint for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md)
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
deleted file mode 100644
index e1befe8407..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac on other management solutions.
-keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mavel
-author: maximvelichko
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Approach
-
-> [!CAUTION]
-> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below.
-
-If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender for Endpoint for Mac.
-
-Microsoft Defender for Endpoint for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
-
-- Deploy a macOS .pkg to managed devices.
-- Deploy macOS system configuration profiles to managed devices.
-- Run an arbitrary admin-configured tool/script on managed devices.
-
-Most modern MDM solutions include these features, however, they may call them differently.
-
-You can deploy Defender without the last requirement from the preceding list, however:
-
-- You will not be able to collect status in a centralized way
-- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
-
-## Deployment
-
-Most MDM solutions use the same model for managing macOS devices, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template.
-
-### Package
-
-Configure deployment of a [required application package](mac-install-with-jamf.md),
-with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
-
-In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
-
-### License settings
-
-Set up [a system configuration profile](mac-install-with-jamf.md).
-Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint for Mac is not part of macOS.
-
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
-Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
-Alternatively, it may require you to convert the property list to a different format first.
-
-Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
-MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
-
-### Kernel extension policy
-
-Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
-
-### System extension policy
-
-Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
-
-- com.microsoft.wdav.epsext
-- com.microsoft.wdav.netext
-
-### Full disk access policy
-
-Grant Full Disk Access to the following components:
-
-- Microsoft Defender for Endpoint
- - Identifier: `com.microsoft.wdav`
- - Identifier Type: Bundle ID
- - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
-
-- Microsoft Defender for Endpoint Endpoint Security Extension
- - Identifier: `com.microsoft.wdav.epsext`
- - Identifier Type: Bundle ID
- - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
-
-### Network extension policy
-
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
-
-- Filter type: Plugin
-- Plugin bundle identifier: `com.microsoft.wdav`
-- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
-- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
-- Filter sockets: `true`
-
-## Check installation status
-
-Run [Microsoft Defender for Endpoint](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
deleted file mode 100644
index 73dc882a2c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Set up device groups in Jamf Pro
-description: Learn how to set up device groups in Jamf Pro for Microsoft Defender ATP for macOS
-keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups.
-
-1. Navigate to **Static Computer Groups**.
-
-2. Select **New**.
-
- 
-
-3. Provide a display name and select **Save**.
-
- 
-
-4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
-
- 
-
-## Next step
-- [Set up Microsoft Defender for Endpoint for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
deleted file mode 100644
index ab77dc10cc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-## Enroll macOS devices
-
-There are multiple methods of getting enrolled to JamF.
-
-This article will guide you on two methods:
-
-- [Method 1: Enrollment Invitations](#enrollment-method-1-enrollment-invitations)
-- [Method 2: Prestage Enrollments](#enrollment-method-2-prestage-enrollments)
-
-For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/casper-suite/administrator-guide/About_Computer_Enrollment.html).
-
-
-## Enrollment Method 1: Enrollment Invitations
-
-1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**.
-
- 
-
-2. Select **+ New**.
-
- 
-
-3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
-
- 
-
- 
-
- For example: janedoe@contoso.com
-
- 
-
-4. Configure the message for the invitation.
-
- 
-
- 
-
- 
-
- 
-
-## Enrollment Method 2: Prestage Enrollments
-
-1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**.
-
- 
-
-2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html).
-
-## Enroll macOS device
-
-1. Select **Continue** and install the CA certificate from a **System Preferences** window.
-
- 
-
-2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
-
- 
-
-3. Select **Allow** to downloads from JAMF.
-
- 
-
-4. Select **Continue** to proceed with the MDM Profile installation.
-
- 
-
-5. Select **Continue** to install the MDM Profile.
-
- 
-
-6. Select **Continue** to complete the configuration.
-
- 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
deleted file mode 100644
index 780f0d40dd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ /dev/null
@@ -1,854 +0,0 @@
----
-title: Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-description: Learn how to set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
-This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
-
-You'll need to take the following steps:
-
-1. [Get the Microsoft Defender for Endpoint onboarding package](#step-1-get-the-microsoft-defender-for-endpoint-onboarding-package)
-
-2. [Create a configuration profile in Jamf Pro using the onboarding package](#step-2-create-a-configuration-profile-in-jamf-pro-using-the-onboarding-package)
-
-3. [Configure Microsoft Defender for Endpoint settings](#step-3-configure-microsoft-defender-for-endpoint-settings)
-
-4. [Configure Microsoft Defender for Endpoint notification settings](#step-4-configure-notifications-settings)
-
-5. [Configure Microsoft AutoUpdate (MAU)](#step-5-configure-microsoft-autoupdate-mau)
-
-6. [Grant full disk access to Microsoft Defender for Endpoint](#step-6-grant-full-disk-access-to-microsoft-defender-for-endpoint)
-
-7. [Approve Kernel extension for Microsoft Defender for Endpoint](#step-7-approve-kernel-extension-for-microsoft-defender-for-endpoint)
-
-8. [Approve System extensions for Microsoft Defender for Endpoint](#step-8-approve-system-extensions-for-microsoft-defender-for-endpoint)
-
-9. [Configure Network Extension](#step-9-configure-network-extension)
-
-10. [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
-
-11. [Deploy Microsoft Defender for Endpoint for macOS](#step-11-deploy-microsoft-defender-for-endpoint-for-macos)
-
-
-## Step 1: Get the Microsoft Defender for Endpoint onboarding package
-
-1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com ), navigate to **Settings > Onboarding**.
-
-2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
-
- 
-
-3. Select **Download onboarding package** (WindowsDefenderATPOnboardingPackage.zip).
-
-4. Extract `WindowsDefenderATPOnboardingPackage.zip`.
-
-5. Copy the file to your preferred location. For example, `C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist`.
-
-
-## Step 2: Create a configuration profile in Jamf Pro using the onboarding package
-
-1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
-
- 
-
-
-2. In the Jamf Pro dashboard, select **New**.
-
- 
-
-3. Enter the following details:
-
- **General**
- - Name: MDATP onboarding for macOS
- - Description: MDATP EDR onboarding for macOS
- - Category: None
- - Distribution Method: Install Automatically
- - Level: Computer Level
-
-4. In **Application & Custom Settings** select **Configure**.
-
- 
-
-5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
-
- 
-
- 
-
-7. Select **Open** and select the onboarding file.
-
- 
-
-8. Select **Upload**.
-
- 
-
-
-9. Select the **Scope** tab.
-
- 
-
-10. Select the target computers.
-
- 
-
- 
-
-11. Select **Save**.
-
- 
-
- 
-
-12. Select **Done**.
-
- 
-
- 
-
-## Step 3: Configure Microsoft Defender for Endpoint settings
-
-1. Use the following Microsoft Defender for Endpoint configuration settings:
-
- - enableRealTimeProtection
- - passiveMode
-
- >[!NOTE]
- >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
-
- - exclusions
- - excludedPath
- - excludedFileExtension
- - excludedFileName
- - exclusionsMergePolicy
- - allowedThreats
-
- >[!NOTE]
- >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
-
- - disallowedThreatActions
- - potentially_unwanted_application
- - archive_bomb
- - cloudService
- - automaticSampleSubmission
- - tags
- - hideStatusMenuIcon
-
- For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
-
- ```XML
-
-
-
- >
-
-
-11. Select **Save**.
-
- 
-
-12. The file is uploaded.
-
- 
-
- 
-
-13. Select the **Scope** tab.
-
- 
-
-14. Select **Contoso's Machine Group**.
-
-15. Select **Add**, then select **Save**.
-
- 
-
- 
-
-16. Select **Done**. You'll see the new **Configuration profile**.
-
- 
-
-
-## Step 4: Configure notifications settings
-
-These steps are applicable of macOS 10.15 (Catalina) or newer.
-
-1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
-
-2. Save it as `MDATP_MDAV_notification_settings.plist`.
-
-3. In the Jamf Pro dashboard, select **General**.
-
-4. Enter the following details:
-
- **General**
-
- - Name: MDATP MDAV Notification settings
- - Description: macOS 10.15 (Catalina) or newer
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
-
- 
-
-
-5. Select **Upload File (PLIST file)**.
-
- 
-
-
-6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
-
-
- 
-
-
- 
-
-7. Select **Open** > **Upload**.
-
- 
-
-
- 
-
-8. Select the **Scope** tab, then select **Add**.
-
- 
-
-
-9. Select **Contoso's Machine Group**.
-
-10. Select **Add**, then select **Save**.
-
- 
-
-
- 
-
-11. Select **Done**. You'll see the new **Configuration profile**.
- 
-
-## Step 5: Configure Microsoft AutoUpdate (MAU)
-
-1. Use the following Microsoft Defender for Endpoint configuration settings:
-
- ```XML
-
-
-
Keep default values.
-
- **Limitations tab**
Keep default values.
-
- 
-
-8. Select **Save**. The package is uploaded to Jamf Pro.
-
- 
-
- It can take a few minutes for the package to be available for deployment.
-
- 
-
-9. Navigate to the **Policies** page.
-
- 
-
-10. Select **+ New** to create a new policy.
-
- 
-
-
-11. In **General** Enter the following details:
-
- - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
-
- 
-
-12. Select **Recurring Check-in**.
-
- 
-
-
-13. Select **Save**.
-
-14. Select **Packages > Configure**.
-
- 
-
-15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
-
- 
-
-16. Select **Save**.
-
- 
-
-17. Select the **Scope** tab.
-
- 
-
-18. Select the target computers.
-
- 
-
- **Scope**
-
- Select **Add**.
-
- 
-
- 
-
- **Self-Service**
-
- 
-
-19. Select **Done**.
-
- 
-
- 
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
deleted file mode 100644
index 0c8ecdb75c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ /dev/null
@@ -1,836 +0,0 @@
----
-title: Set preferences for Microsoft Defender ATP for Mac
-description: Configure Microsoft Defender ATP for Mac in enterprise organizations.
-keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Set preferences for Microsoft Defender for Endpoint for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
-
->[!IMPORTANT]
->This article contains instructions for how to set preferences for Microsoft Defender for Endpoint for Mac in enterprise organizations. To configure Microsoft Defender for Endpoint for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line).
-
-## Summary
-
-In enterprise organizations, Microsoft Defender for Endpoint for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
-
-This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
-
-## Configuration profile structure
-
-The configuration profile is a *.plist* file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
-
->[!CAUTION]
->The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
-
-The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender for Endpoint, which are explained in more detail in the next sections.
-
-### Antivirus engine preferences
-
-The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender for Endpoint.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | antivirusEngine |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable real-time protection
-
-Specify whether to enable real-time protection, which scans files as they are accessed.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enableRealTimeProtection |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable passive mode
-
-Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications:
-- Real-time protection is turned off
-- On-demand scanning is turned on
-- Automatic threat remediation is turned off
-- Security intelligence updates are turned on
-- Status menu icon is hidden
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | passiveMode |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.67.60 or higher. |
-
-#### Exclusion merge policy
-
-Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusionsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
-
-#### Scan exclusions
-
-Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusions |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Type of exclusion
-
-Specify content excluded from being scanned by type.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | $type |
-| **Data type** | String |
-| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
-
-##### Path to excluded content
-
-Specify content excluded from being scanned by full file path.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | path |
-| **Data type** | String |
-| **Possible values** | valid paths |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-##### Path type (file / directory)
-
-Indicate if the *path* property refers to a file or directory.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | isDirectory |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-##### File extension excluded from the scan
-
-Specify content excluded from being scanned by file extension.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | extension |
-| **Data type** | String |
-| **Possible values** | valid file extensions |
-| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
-
-##### Process excluded from the scan
-
-Specify a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | name |
-| **Data type** | String |
-| **Possible values** | any string |
-| **Comments** | Applicable only if *$type* is *excludedFileName* |
-
-#### Allowed threats
-
-Specify threats by name that are not blocked by Defender for Endpoint for Mac. These threats will be allowed to run.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | allowedThreats |
-| **Data type** | Array of strings |
-
-#### Disallowed threat actions
-
-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | disallowedThreatActions |
-| **Data type** | Array of strings |
-| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
-
-#### Threat type settings
-
-Specify how certain threat types are handled by Microsoft Defender for Endpoint for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettings |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Threat type
-
-Specify threat types.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | potentially_unwanted_application
archive_bomb |
-
-##### Action to take
-
-Specify what action to take when a threat of the type specified in the preceding section is detected. Choose from the following options:
-
-- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
-- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
-- **Off**: your device is not protected against this type of threat and nothing is logged.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | audit (default)
block
off |
-
-#### Threat type settings merge policy
-
-Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettingsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
-
-#### Antivirus scan history retention (in days)
-
-Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanResultsRetentionDays |
-| **Data type** | String |
-| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. |
-
-#### Maximum number of items in the antivirus scan history
-
-Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanHistoryMaximumItems |
-| **Data type** | String |
-| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. |
-
-### Cloud-delivered protection preferences
-
-Configure the cloud-driven protection features of Microsoft Defender for Endpoint for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | cloudService |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable cloud-delivered protection
-
-Specify whether to enable cloud-delivered protection the device or not. To improve the security of your services, we recommend keeping this feature turned on.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Diagnostic collection level
-
-Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender for Endpoint to Microsoft.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | diagnosticLevel |
-| **Data type** | String |
-| **Possible values** | optional (default)
required |
-
-#### Enable / disable automatic sample submissions
-
-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | automaticSampleSubmission |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable automatic security intelligence updates
-
-Determines whether security intelligence updates are installed automatically:
-
-|||
-|:---|:---|
-| **Key** | automaticDefinitionUpdateEnabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-### User interface preferences
-
-Manage the preferences for the user interface of Microsoft Defender for Endpoint for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | userInterface |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Show / hide status menu icon
-
-Specify whether to show or hide the status menu icon in the top-right corner of the screen.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | hideStatusMenuIcon |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-
-#### Show / hide option to send feedback
-
-Specify whether users can submit feedback to Microsoft by going to `Help` > `Send Feedback`.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | userInitiatedFeedback |
-| **Data type** | String |
-| **Possible values** | enabled (default)
disabled |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.19.61 or higher. |
-
-### Endpoint detection and response preferences
-
-Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender for Endpoint for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | edr |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Device tags
-
-Specify a tag name and its value.
-
-- The GROUP tag, tags the device with the specified value. The tag is reflected in the portal under the device page and can be used for filtering and grouping devices.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | tags |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Type of tag
-
-Specifies the type of tag
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | `GROUP` |
-
-##### Value of tag
-
-Specifies the value of tag
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | any string |
-
-> [!IMPORTANT]
-> - Only one value per tag type can be set.
-> - Type of tags are unique, and should not be repeated in the same configuration profile.
-
-## Recommended configuration profile
-
-To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender for Endpoint provides.
-
-The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
-- Enable real-time protection (RTP)
-- Specify how the following threat types are handled:
- - **Potentially unwanted applications (PUA)** are blocked
- - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender for Endpoint logs
-- Enable automatic security intelligence updates
-- Enable cloud-delivered protection
-- Enable automatic sample submission
-
-### Property list for JAMF configuration profile
-
-```XML
-
-
-
External
Production |
-
->[!WARNING]
->This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
-> ```bash
-> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
-> ```
-
-### Set update check frequency
-
-Change how often MAU searches for updates.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | UpdateCheckFrequency |
-| **Data type** | Integer |
-| **Default value** | 720 (minutes) |
-| **Comment** | This value is set in minutes. |
-
-### Change how MAU interacts with updates
-
-Change how MAU searches for updates.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | HowToCheck |
-| **Data type** | String |
-| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
-| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
-
-### Change whether the "Check for Updates" button is enabled
-
-Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | EnableCheckForUpdatesButton |
-| **Data type** | Boolean |
-| **Possible values** | True (default)
False |
-
-### Disable Insider checkbox
-
-Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | DisableInsiderCheckbox |
-| **Data type** | Boolean |
-| **Possible values** | False (default)
True |
-
-### Limit the telemetry that is sent from MAU
-
-Set to false to send minimal heartbeat data, no application usage, and no environment details.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | SendAllTelemetryEnabled |
-| **Data type** | Boolean |
-| **Possible values** | True (default)
False |
-
-## Example configuration profile
-
-The following configuration profile is used to:
-- Place the device in the Insider Fast channel
-- Automatically download and install updates
-- Enable the "Check for updates" button in the user interface
-- Allow users on the device to enroll into the Insider channels
-
-### JAMF
-
-```XML
-
-
-
-> The filter applied on the trends section is not applied on the summary section.
-
-The device trends section allows you to drill down to the devices list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the devices list with results showing only devices whose sensor status is inactive.
-
-
-
-## Device attributes
-The report is made up of cards that display the following device attributes:
-
-- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
-
-- **Antivirus status for active Windows 10 devices**: shows the number of devices and status of Microsoft Defender Antivirus.
-
-- **OS platforms**: shows the distribution of OS platforms that exists within your organization.
-
-- **Windows 10 versions**: shows the distribution of Windows 10 devices and their versions in your organization.
-
-
-
-## Filter data
-
-Use the provided filters to include or exclude devices with certain attributes.
-
-You can select multiple filters to apply from the device attributes.
-
->[!NOTE]
->These filters apply to **all** the cards in the report.
-
-For example, to show data about Windows 10 devices with Active sensor health state:
-
-1. Under **Filters > Sensor health state > Active**.
-2. Then select **OS platforms > Windows 10**.
-3. Select **Apply**.
-
-
-## Related topic
-- [Threat protection report](threat-protection-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
deleted file mode 100644
index 8b7dd420b1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Create and manage device tags
-description: Use device tags to group devices to capture context and enable dynamic list creation as part of an incident
-keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create and manage device tags
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
-
-You can add tags on devices using the following ways:
-
-- Using the portal
-- Setting a registry key value
-
-> [!NOTE]
-> There may be some latency between the time a tag is added to a device and its availability in the devices list and device page.
-
-To add device tags using API, see [Add or remove device tags API](add-or-remove-machine-tags.md).
-
-## Add and manage device tags using the portal
-
-1. Select the device that you want to manage tags on. You can select or search for a device from any of the following views:
-
- - **Security operations dashboard** - Select the device name from the Top devices with active alerts section.
- - **Alerts queue** - Select the device name beside the device icon from the alerts queue.
- - **Devices list** - Select the device name from the list of devices.
- - **Search box** - Select Device from the drop-down menu and enter the device name.
-
- You can also get to the alert page through the file and IP views.
-
-2. Select **Manage Tags** from the row of Response actions.
-
- 
-
-3. Type to find or create tags
-
- 
-
-Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices.
-
->[!NOTE]
-> Filtering might not work on tag names that contain parenthesis.
-
-You can also delete tags from this view.
-
-
-
-## Add device tags by setting a registry key value
-
->[!NOTE]
-> Applicable only on the following devices:
->- Windows 10, version 1709 or later
->- Windows Server, version 1803 or later
->- Windows Server 2016
->- Windows Server 2012 R2
->- Windows Server 2008 R2 SP1
->- Windows 8.1
->- Windows 7 SP1
-
-> [!NOTE]
-> The maximum number of characters that can be set in a tag is 200.
-
-Devices with similar tags can be handy when you need to apply contextual action on a specific list of devices.
-
-Use the following registry key entry to add a tag on a device:
-
-- Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
-- Registry key value (REG_SZ): `Group`
-- Registry key data: `Name of the tag you want to set`
-
->[!NOTE]
->The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report.
->
-> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
deleted file mode 100644
index 477cebbeb7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Machine resource type
-description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, supported apis, get, machines
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Machine resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method|Return Type |Description
-:---|:---|:---
-[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
-[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity.
-[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md).
-[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md).
-[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID.
-[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID.
-[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
-[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
-[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
-[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md).
-[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
-[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md).
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | [machine](machine.md) identity.
-computerDnsName | String | [machine](machine.md) fully qualified name.
-firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
-lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours.
-osPlatform | String | Operating system platform.
-osProcessor | String | Operating system processor.
-version | String | Operating system Version.
-osBuild | Nullable long | Operating system build number.
-lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
-lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
-healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".
-rbacGroupName | String | Machine group Name.
-riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
-exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
-machineTags | String collection | Set of [machine](machine.md) tags.
-exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
-ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md).
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
deleted file mode 100644
index 8971087180..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: machineAction resource type
-description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, supported apis, get, machineaction, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# MachineAction resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-- For more information, see [Response Actions](respond-machine-alerts.md).
-
-| Method | Return Type | Description |
-|:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------|
-| [List MachineActions](get-machineactions-collection.md) | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities. |
-| [Get MachineAction](get-machineaction-object.md) | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity. |
-| [Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md). |
-| [Get investigation package SAS URI](get-package-sas-uri.md) | [Machine Action](machineaction.md) | Get URI for downloading the investigation package. |
-| [Isolate machine](isolate-machine.md) | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network. |
-| [Release machine from isolation](unisolate-machine.md) | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation. |
-| [Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution. |
-| [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. |
-| [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). |
-| [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender for Endpoint. |
-| [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
-
-
-
-## Properties
-
-| Property | Type | Description |
-|:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| ID | Guid | Identity of the [Machine Action](machineaction.md) entity. |
-| type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
-| scope | string | Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan. |
-| requestor | String | Identity of the person that executed the action. |
-| requestorComment | String | Comment that was written when issuing the action. |
-| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled". |
-| machineId | String | ID of the [machine](machine.md) on which the action was executed. |
-| machineId | String | Name of the [machine](machine.md) on which the action was executed. |
-| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. |
-| lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. |
-| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1", "Sha256" and "Md5". |
-
-
-## Json representation
-
-```json
-{
- "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
- "type": "Isolate",
- "scope": "Selective",
- "requestor": "Analyst@TestPrd.onmicrosoft.com",
- "requestorComment": "test for docs",
- "status": "Succeeded",
- "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
- "computerDnsName": "desktop-test",
- "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
- "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
- "relatedFileInfo": null
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
deleted file mode 100644
index 6752d4f806..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: View and organize the Microsoft Defender ATP devices list
-description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations.
-keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# View and organize the Microsoft Defender for Endpoint Devices list
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
-
-The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.
-
-At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
-
-There are several options you can choose from to customize the devices list view. On the top navigation you can:
-
-- Add or remove columns
-- Export the entire list in CSV format
-- Select the number of items to show per page
-- Apply filters
-
-During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
-
->[!NOTE]
-> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.
-
-
-
-## Sort and filter the device list
-
-You can apply the following filters to limit the list of alerts and get a more focused view.
-
-### Risk level
-
-The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
-
-### Exposure level
-
-The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.
-
-If the exposure level says "No data available," there are a few reasons why this may be the case:
-
-- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed
-- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)
-- Device with stale agent (very unlikely)
-
-### OS Platform
-
-Select only the OS platforms you're interested in investigating.
-
-### Health state
-
-Filter by the following device health states:
-
-- **Active** – Devices that are actively reporting sensor data to the service.
-- **Inactive** – Devices that have completely stopped sending signals for more than 7 days.
-- **Misconfigured** – Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to:
- - No sensor data
- - Impaired communications
-
- For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-### Antivirus status
-
-Filter devices by antivirus status. Applies to active Windows 10 devices only.
-
-- **Disabled** - Virus & threat protection is turned off.
-- **Not reporting** - Virus & threat protection is not reporting.
-- **Not updated** - Virus & threat protection is not up to date.
-
-For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
-
-### Threat mitigation status
-
-To view devices that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
-
-To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md).
-
-### Windows 10 version
-
-Select only the Windows 10 versions you're interested in investigating.
-
-### Tags & Groups
-
-Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md) and [Create and manage device groups](machine-groups.md).
-
-## Related topics
-
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
deleted file mode 100644
index 5698863784..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: Manage Microsoft Defender Advanced Threat Protection alerts
-description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
-keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Manage Microsoft Defender for Endpoint alerts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
-
-Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
-
-You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device.
-
-Selecting an alert in either of those places brings up the **Alert management pane**.
-
-
-
-## Link to another incident
-You can create a new incident from the alert or link to an existing incident.
-
-## Assign alerts
-If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
-
-
-## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Defender for Endpoint lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
-
-Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
-
-When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
-
-There are two contexts for a suppression rule that you can choose from:
-
-- **Suppress alert on this device**
-- **Suppress alert in my organization**
-
-The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
-
-You can use the examples in the following table to help you choose the context for a suppression rule:
-
-| **Context** | **Definition** | **Example scenarios** |
-|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Suppress alert on this device** | Alerts with the same alert title and on that specific device only will be suppressed.
All other alerts on that device will not be suppressed. |
|
-| **Suppress alert in my organization** | Alerts with the same alert title on any device will be suppressed. |
|
-
-### Suppress an alert and create a new suppression rule:
-Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
-
-1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
-
-2. Select **Create a suppression rule**.
-
- You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
-
- * File SHA1
- * File name - wildcard supported
- * Folder path - wildcard supported
- * IP address
- * URL - wildcard supported
- * Command line - wildcard supported
-
-3. Select the **Triggering IOC**.
-
-4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Defender for Endpoint APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Defender for Endpoint APIs.
-
-
-5. Enter a rule name and a comment.
-
-6. Click **Save**.
-
-#### View the list of suppression rules
-
-1. In the navigation pane, select **Settings** > **Alert suppression**.
-
-2. The list of suppression rules shows all the rules that users in your organization have created.
-
-For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules.md)
-
-## Change the status of an alert
-
-You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
-
-For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
-
-Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
-
-
-
-## Alert classification
-You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
-
-## Add comments and view the history of an alert
-You can add comments and view historical events about an alert to see previous changes made to the alert.
-
-Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
-
-Added comments instantly appear on the pane.
-
-
-## Related topics
-- [Manage suppression rules](manage-suppression-rules.md)
-- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
-- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
deleted file mode 100644
index 12ff88f1d9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Configuration Manager
-description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
-keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Configuration Manager
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
-- [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-- [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-
-## Configure Microsoft Defender for Endpoint with Configuration Manager
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Install the Configuration Manager console** if you don't already have it
*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/get-install-media)
[Install the Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/install-consoles) |
-|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint
*If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender for Endpoint with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
-|**Choose methods for updating antimalware updates** on your organization's devices
*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definition-updates)
[Use Configuration Manager to deliver definition updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#microsoft-endpoint-configuration-manager) |
-|**Configure controlled folder access** to protect against ransomware
*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Microsoft Endpoint Configuration Manage](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
deleted file mode 100644
index d5af8e2cf2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Group Policy Objects
-description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Group Policy Objects
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> [!NOTE]
-> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**.
-
-You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender for Endpoint.
-
-## Configure Microsoft Defender for Endpoint with Group Policy Objects
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage settings for user and computer objects**
*Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.* |[Administer Group Policy in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) |
-|**Configure Microsoft Defender Antivirus**
*Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).* |[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
[Use Group Policy to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection) |
-|**Manage your organization's attack surface reduction rules**
*Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.* |[Customize attack surface reduction rules with Group Policy Objects](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-group-policy-to-exclude-files-and-folders) |
-|**Manage exploit protection settings**
*You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.* |[Customize exploit protection settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml)
[Use Group Policy to distribute the configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#group-policy) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#group-policy) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. |[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |[Enable Windows Defender Credential Guard by using Group Policy](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
deleted file mode 100644
index 4ac73497e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Intune
-description: Learn how to manage Microsoft Defender for Endpoint with Intune
-keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Intune
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-
-This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
-
-## Find your Microsoft Defender for Endpoint settings in Intune
-
-> [!IMPORTANT]
-> You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](https://docs.microsoft.com/mem/intune/fundamentals/users-add#types-of-administrators)**.
-
-1. Go to the Azure portal ([https://portal.azure.com](https://portal.azure.com)) and sign in.
-
-2. Under **Azure Services**, choose **Intune**.
-
-3. In the navigation pane on the left, choose **Device configuration**, and then, under **Manage**, choose **Profiles**.
-
-4. Select an existing profile, or create a new one.
-
-> [!TIP]
-> Need help? See **[Using Microsoft Defender for Endpoint with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
-
-## Configure Microsoft Defender for Endpoint with Intune
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect) |
-|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
-|**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint ](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
-|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
-|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.
*Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.* |[Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
[Device restrictions: Microsoft Defender SmartScreen](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen)
[Policy settings for managing SmartScreen in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings) |
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Endpoint protection: Microsoft Defender Firewall](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall)
[Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)
[BitLocker for Windows 10 devices](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard)
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
-|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices
*Microsoft Defender Application Control is also referred to as [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
[Endpoint protection: Microsoft Defender Application Control](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)
[AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
deleted file mode 100644
index 9280a33aee..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe
-description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> [!NOTE]
-> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction).
-> - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-> - [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-> - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
-
-You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-for-endpoint-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
-
-> [!IMPORTANT]
-> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
-
-## Configure Microsoft Defender for Endpoint with PowerShell
-
-You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage Microsoft Defender Antivirus**
*View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.* |[Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
[Use PowerShell cmdlets to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-powershell-cmdlets-to-enable-cloud-delivered-protection) |
-|**Configure exploit protection** to mitigate threats on your organization's devices
*We recommend using exploit protection in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection#powershell) at first. That way, you can see how exploit protection affects apps your organization is using.* | [Customize exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[PowerShell cmdlets for exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection#powershell-reference) |
-|**Configure attack surface reduction rules** with PowerShell
*You can use PowerShell to exclude files and folders from attack surface reduction rules.* |[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-powershell-to-exclude-files-and-folders)
Also, see [António Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI). |
-|**Enable Network Protection** with PowerShell
*You can use PowerShell to enable Network Protection.* |[Turn on Network Protection with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#powershell) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#powershell) |
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps&preserve-view=true) |
-
-## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
-
-WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](https://docs.microsoft.com/windows/win32/wmisdk/using-wmi).
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Enable cloud-delivered protection** on a device |[Use Windows Management Instruction (WMI) to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-windows-management-instruction-wmi-to-enable-cloud-delivered-protection) |
-|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
[Review the list of available WMI classes and example scripts](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
Also see the archived [Windows Defender WMIv2 Provider reference information](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) |
-
-
-## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
-
-On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage Microsoft Defender Antivirus** |[Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
deleted file mode 100644
index efb39aa306..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint post migration
-description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
-keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.topic: conceptual
-ms.date: 01/26/2021
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint, post migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
-
-The following table lists various tools/methods you can use, with links to learn more.
-
-
-|Tool/Method |Description |
-|---------|---------|
-|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.
See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
-|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
-|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
-|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
-
-## See also
-
-- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
deleted file mode 100644
index eba504af82..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: Review and approve remediation actions following automated investigations in the Microsoft Defender Security Center
-description: Review and approve (or reject) remediation actions following an automated investigation.
-keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.date: 12/15/2020
-ms.technology: mde
----
-
-# Review and approve remediation actions following an automated investigation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## Remediation actions
-
-When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-
-Depending on
-
-- the type of threat,
-- the resulting verdict, and
-- how your organization's [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) are configured,
-
-remediation actions can occur automatically or only upon approval by your organization’s security operations team.
-
-Here are a few examples:
-
-- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
-
-- Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).)
-
-- Example 3: Tailspin Toys has their device groups set to **No automated response** (not recommended). In this case, automated investigations do not occur. No remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
-
-Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions:
-- Quarantine a file
-- Remove a registry key
-- Kill a process
-- Stop a service
-- Disable a driver
-- Remove a scheduled task
-
-### Automated investigation results and remediation actions
-
-The following table summarizes remediation actions, how automation level settings affect whether actions are taken automatically or upon approval, and what to do.
-
-|Device group setting | Automated investigation results | What to do |
-|:---|:---|:---|
-|**Full - remediate threats automatically** (the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.
Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
-|**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.
If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions).|
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.
If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) |
-|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.
No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
-|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
-
-In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
-
-> [!TIP]
-> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
-
-
-## Review pending actions
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-
-2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
-
-3. Review any items on the **Pending** tab.
-
-4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions.
-
- Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can select the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations.
-
-## Review completed actions
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-
-2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
-
-3. Select the **History** tab. (If need be, expand the time period to display more data.)
-
-4. Select an item to view more details about that remediation action.
-
-## Undo completed actions
-
-If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
-
-| Action source | Supported Actions |
-|:---|:---|
-| - Automated investigation
- Microsoft Defender Antivirus
- Manual response actions | - Isolate device
- Restrict code execution
- Quarantine a file
- Remove a registry key
- Stop a service
- Disable a driver
- Remove a scheduled task |
-
-### To undo multiple actions at one time
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-
-2. On the **History** tab, select the actions that you want to undo.
-
-3. In the pane on the right side of the screen, select **Undo**.
-
-### To remove a file from quarantine across multiple devices
-
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-
-2. On the **History** tab, select a file that has the Action type **Quarantine file**.
-
- 
-
-3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
-
- 
-
-## Next steps
-
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
-
-- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
deleted file mode 100644
index a01e6d0c82..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Manage automation file uploads
-description: Enable content analysis and configure the file extension and email attachment extensions that will be submitted for analysis
-keywords: automation, file, uploads, content, analysis, file, extension, email, attachment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Manage automation file uploads
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
-
-Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
-
-Identify the files and email attachments by specifying the file extension names and email attachment extension names.
-
-For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
-
-## Add file extension names and attachment extension names.
-
-1. In the navigation pane, select **Settings** > **Automation file uploads**.
-
-2. Toggle the content analysis setting between **On** and **Off**.
-
-3. Configure the following extension names and separate extension names with a comma:
- - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection
-
-
-## Related topics
-- [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
deleted file mode 100644
index ad0b7534bc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Manage automation folder exclusions
-description: Add automation folder exclusions to control the files that are excluded from an automated investigation.
-keywords: manage, automation, exclusion, block, clean, malicious
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Manage automation folder exclusions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
-
-Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
-
-You can control the following attributes about the folder that you'd like to be skipped:
-- Folders
-- Extensions of the files
-- File names
-
-
-**Folders**
-You can specify a folder and its subfolders to be skipped.
-
-
->[!NOTE]
->At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
-
-
-**Extensions**
-You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
-
-**File names**
-You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
-
-
-
-## Add an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-
-2. Click **New folder exclusion**.
-
-3. Enter the folder details:
-
- - Folder
- - Extensions
- - File names
- - Description
-
-
-4. Click **Save**.
-
->[!NOTE]
-> Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
-
-## Edit an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-
-2. Click **Edit** on the folder exclusion.
-
-3. Update the details of the rule and click **Save**.
-
-## Remove an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-2. Click **Remove exclusion**.
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-indicators.md)
-- [Manage automation file uploads](manage-automation-file-uploads.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
deleted file mode 100644
index e3078652a2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Manage endpoint detection and response capabilities
-ms.reviewer:
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Manage endpoint detection and response capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting.
-
-
-## In this section
-Topic | Description
-:---|:---
-[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center.
-[Devices list](machines-view-overview.md) | Learn how you can view and manage the devices list, manage device groups, and investigate device related alerts.
-[Take response actions](response-actions.md)| Take response actions on devices and files to quickly respond to detected attacks and contain threats.
-[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
deleted file mode 100644
index 8da70d0d7e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Manage Microsoft Defender ATP incidents
-description: Manage incidents by assigning it, updating its status, or setting its classification.
-keywords: incidents, manage, assign, status, classification, true alert, false alert
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Manage Microsoft Defender for Endpoint incidents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
-
-
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
-
-
-
-
-You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
-
-> [!TIP]
-> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
->
-> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
->
-> Incidents that existed prior the rollout of automatic incident naming will retain their names.
->
-
-
-
-
-## Assign incidents
-If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-
-## Set status and classification
-### Incident status
-You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
-
-For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
-
-Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
-
-### Classification
-You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-
-### Add comments
-You can add comments and view historical events about an incident to see previous changes made to it.
-
-Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
-
-Added comments instantly appear on the pane.
-
-
-
-## Related topics
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [View and organize the Incidents queue](view-incidents-queue.md)
-- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
deleted file mode 100644
index b6cfdd2f4a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Create indicators
-ms.reviewer:
-description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create indicators
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.
-
-Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).
-
-**Cloud detection engine**
-The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
-
-**Endpoint prevention engine**
-The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run.
-
-**Automated investigation and remediation engine**
-The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
-
-The current supported actions are:
-- Allow
-- Alert only
-- Alert and block
-
-
-You can create an indicator for:
-- [Files](indicator-file.md)
-- [IP addresses, URLs/domains](indicator-ip-domain.md)
-- [Certificates](indicator-certificates.md)
-
-
->[!NOTE]
->There is a limit of 15,000 indicators per tenant.
-
-
-## Related topics
-
-- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-- [Use the Microsoft Defender for Endpoint indicators API](ti-indicator.md)
-- [Use partner integrated solutions](partner-applications.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
deleted file mode 100644
index 4c884b71f6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Manage Microsoft Defender Advanced Threat Protection suppression rules
-description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
-keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Manage suppression rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md).
-
-You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
-
-
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
-
-2. Select a rule by clicking on the check-box beside the rule name.
-
-3. Click **Turn rule on**, **Edit rule**, or **Delete rule**. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.
-
-
-## View details of a suppression rule
-
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
-
-2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
-
-## Related topics
-
-- [Manage alerts](manage-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
deleted file mode 100644
index 7fa475efba..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Overview of management and APIs
-ms.reviewer:
-description: Learn about the management tools and API categories in Microsoft Defender ATP
-keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Overview of management and APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Defender for Endpoint supports a wide variety of options to ensure that customers can easily adopt the platform.
-
-Acknowledging that customer environments and structures can vary, Defender for Endpoint was created with flexibility and granular control to fit varying customer requirements.
-
-## Endpoint onboarding and portal access
-
-Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management.
-
-Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
-- Globally distributed organizations and security teams
-- Tiered model security operations teams
-- Fully segregated divisions with single centralized global security operations teams
-
-## Available APIs
-The Microsoft Defender for Endpoint solution is built on top of an integration-ready platform.
-
-Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities.
-
-
-
-The Defender for Endpoint APIs can be grouped into three:
-- Microsoft Defender for Endpoint APIs
-- Raw data streaming API
-- SIEM integration
-
-## Microsoft Defender for Endpoint APIs
-
-Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
-
-Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
-
-The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see [Supported APIs](exposed-apis-list.md).
-
-The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
-
-## Raw data streaming API
-Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
-
-The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
-
-For more information, see [Raw data streaming API](raw-data-export.md).
-
-
-## SIEM API
-When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see [SIEM integration](enable-siem-integration.md).
-
-## Related topics
-- [Access the Microsoft Defender for Endpoint APIs ](apis-intro.md)
-- [Supported APIs](exposed-apis-list.md)
-- [Technical partner opportunities](partner-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
deleted file mode 100644
index 9f65ae6e85..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Migrate from McAfee to Microsoft Defender for Endpoint
-description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-overview
-ms.topic: conceptual
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
-
-## The migration process
-
-When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-
-
-
-|Phase |Description |
-|--|--|
-|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
deleted file mode 100644
index f703c93219..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-McAfeemigrate
- - m365solution-scenario
-ms.custom: migrationguides
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall McAfee](#uninstall-mcafee).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall McAfee
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee.
-
-To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
deleted file mode 100644
index 8108d9e245..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-scenario
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 1: Prepare for your migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get and deploy updates across your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
-
-### Make sure your McAfee solution is up to date
-
-Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
-
-- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)
-
-- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830)
-
-- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)
-
-- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))
-
-### Make sure your organization's devices are up to date
-
-Need help updating your organization's devices? See the following resources:
-
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
deleted file mode 100644
index d98440f9bd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ /dev/null
@@ -1,264 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-scenario
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
-4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
-
-This step of the migration process includes the following tasks:
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
-- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
-
-### Set DisableAntiSpyware to false on Windows Server
-
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
-
- - If you do see **DisableAntiSpyware**, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-> [!NOTE]
-> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
-> Example:
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
-
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to **1**.
-
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-### Enable Microsoft Defender Antivirus on your Windows client devices
-
-Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Confirm that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
-
-> [!TIP]
-> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
-
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add McAfee to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
-```kusto
-File(c:\\windows\\notepad.exe)
-| project Hash
-```
-> [!NOTE]
-> In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
deleted file mode 100644
index 0f3f29d7c0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Configure Microsoft Cloud App Security integration
-ms.reviewer:
-description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security.
-keywords: cloud, app, security, settings, integration, discovery, report
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure Microsoft Cloud App Security in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on Microsoft Cloud App Security integration.
-
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
-
-> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security.
-
-## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint
-
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
-2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
-3. Click **Save preferences**.
-
-Once activated, Microsoft Defender for Endpoint will immediately start forwarding discovery signals to Cloud App Security.
-
-## View the data collected
-
-To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/mde-integration#investigate-devices-in-cloud-app-security).
-
-
-For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
-
-If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1).
-
-## Related topic
-- [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
deleted file mode 100644
index e3851124d6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Microsoft Cloud App Security integration overview
-ms.reviewer:
-description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) integrates with Cloud App Security by forwarding all cloud app networking activities.
-keywords: cloud, app, networking, visibility, usage
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 10/18/2018
-ms.technology: mde
----
-
-# Microsoft Cloud App Security in Defender for Endpoint overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security).
-
->[!NOTE]
->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
-
-## Microsoft Defender for Endpoint and Cloud App Security integration
-
-Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
-
-
-The integration provides the following major improvements to the existing Cloud App Security discovery:
-
-- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
-
-- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go.
-
-- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
-
-For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
-
-## Related topic
-
-- [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
deleted file mode 100644
index d3217034e2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-title: Microsoft Defender for Endpoint
-description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
-
-Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]
-
-Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
-
-
-- **Cloud security analytics**: Leveraging big-data, device-learning, and
- unique Microsoft optics across the Windows ecosystem,
- enterprise cloud products (such as Office 365), and online assets, behavioral signals
- are translated into insights, detections, and recommended responses
- to advanced threats.
-
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
- and augmented by threat intelligence provided by partners, threat
- intelligence enables Defender for Endpoint to identify attacker
- tools, techniques, and procedures, and generate alerts when they
- are observed in collected sensor data.
-
-
-Microsoft Defender for Endpoint
-
-
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
-
-> [!TIP]
-> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
-> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-
-
-**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-
-
-**[Attack surface reduction](overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
-
-
-
-**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
-
-
-
-**[Endpoint detection and response](overview-endpoint-detection-response.md)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. [Advanced hunting](advanced-hunting-overview.md) provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
-
-
-
-**[Automated investigation and remediation](automated-investigations.md)**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-
-
-**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
-
-Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
-
-
-
-**[Microsoft Threat Experts](microsoft-threat-experts.md)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
-
->[!IMPORTANT]
->Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-
-
-**[Integration with Microsoft solutions](threat-protection-integration.md)**
-Defender for Endpoint directly integrates with various Microsoft solutions, including:
-- Azure Security Center
-- Azure Sentinel
-- Intune
-- Microsoft Cloud App Security
-- Microsoft Defender for Identity
-- Microsoft Defender for Office
-- Skype for Business
-
-**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
-With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
-
-
-## Related topic
-[Microsoft Defender for Endpoint helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
deleted file mode 100644
index f6108d29ae..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Microsoft Defender ATP for Android
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for Android
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-This topic describes how to install, configure, update, and use Defender for Endpoint for Android.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for Android is likely to cause performance problems and unpredictable system errors.
-
-
-## How to install Microsoft Defender for Endpoint for Android
-
-### Prerequisites
-
-- **For end users**
-
- - Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
-
- - Intune Company Portal app can be downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and is available on the Android device.
-
- - Additionally, device(s) can be
- [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal)
- via the Intune Company Portal app to enforce Intune device compliance
- policies. This requires the end user to be assigned a Microsoft Intune license.
-
- - For more information on how to assign licenses, see [Assign licenses to
- users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
-
-
-- **For Administrators**
-
- - Access to the Microsoft Defender Security Center portal.
-
- > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint for Android related device compliance policies in Intune.
-
- - Access [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
- app to enrolled user groups in your organization.
-
-### System Requirements
-
-- Android devices running Android 6.0 and above.
-- Intune Company Portal app is downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and installed. Device enrollment is required for Intune device compliance policies to be enforced.
-
-### Installation instructions
-
-Microsoft Defender for Endpoint for Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes.
-**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrolments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
-
-Deployment of Microsoft Defender for Endpoint for Android is via Microsoft Intune (MDM).
-For more information, see [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md).
-
-
-> [!NOTE]
-> **Microsoft Defender for Endpoint for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise entrollment modes.
-
-## How to Configure Microsoft Defender for Endpoint for Android
-
-Guidance on how to configure Microsoft Defender for Endpoint for Android features is available in [Configure Microsoft Defender for Endpoint for Android features](android-configure.md).
-
-
-
-## Related topics
-- [Deploy Microsoft Defender for Endpoint for with Microsoft Intune](android-intune.md)
-- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
deleted file mode 100644
index dcb323a464..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Microsoft Defender ATP for iOS overview
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for iOS
-keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for iOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
-iOS devices along with other platforms.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
-
-## Pre-requisites
-
-**For End Users**
-
-- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
-
-- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
-
-- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
-
-**For Administrators**
-
-- Access to the Microsoft Defender Security Center portal.
-
- > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
-
-- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
-
-**System Requirements**
-
-- iOS devices running iOS 11.0 and above.
-
-- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358).
-
-> [!NOTE]
-> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
-
-## Installation instructions
-
-Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
-For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
-
-## Resources
-
-- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
-
-- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com)
-
-## Next steps
-
-- [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md)
-- [Configure Microsoft Defender for Endpoint for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
deleted file mode 100644
index aa76048828..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-title: Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint for Linux.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint for Linux is likely to cause performance problems and unpredictable system errors.
-
-## How to install Microsoft Defender for Endpoint for Linux
-
-### Prerequisites
-
-- Access to the Microsoft Defender Security Center portal
-- Linux distribution using the [systemd](https://systemd.io/) system manager
-- Beginner-level experience in Linux and BASH scripting
-- Administrative privileges on the device (in case of manual deployment)
-
-### Installation instructions
-
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint for Linux.
-
-In general you need to take the following steps:
-
-- Ensure that you have a Microsoft Defender for Endpoint subscription, and that you have access to the [Microsoft Defender for Endpoint portal](microsoft-defender-security-center.md).
-- Deploy Microsoft Defender for Endpoint for Linux using one of the following deployment methods:
- - The command-line tool:
- - [Manual deployment](linux-install-manually.md)
- - Third-party management tools:
- - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
-
-If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint for Linux](linux-support-install.md).
-
-### System requirements
-
-- Supported Linux server distributions and versions:
-
- - Red Hat Enterprise Linux 7.2 or higher
- - CentOS 7.2 or higher
- - Ubuntu 16.04 LTS or higher LTS
- - Debian 9 or higher
- - SUSE Linux Enterprise Server 12 or higher
- - Oracle Linux 7.2 or higher
-
-- Minimum kernel version 3.10.0-327
-- The `fanotify` kernel option must be enabled
- > [!CAUTION]
- > Running Defender for Endpoint for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
-
-- Disk space: 1GB
-- The solution currently provides real-time protection for the following file system types:
-
- - `btrfs`
- - `ecryptfs`
- - `ext2`
- - `ext3`
- - `ext4`
- - `fuse`
- - `fuseblk`
- - `jfs`
- - `nfs`
- - `overlay`
- - `ramfs`
- - `reiserfs`
- - `tmpfs`
- - `udf`
- - `vfat`
- - `xfs`
-
-After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-- Audit framework (`auditd`) must be enabled.
- >[!NOTE]
- > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key.
-
-### Network connections
-
-The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
-
-|**Spreadsheet of domains list**|**Description**|
-|:-----|:-----|
-|
| Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
-
-> [!NOTE]
-> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-Defender for Endpoint can discover a proxy server by using the following discovery methods:
-- Transparent proxy
-- Manual static proxy configuration
-
-If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
-
-> [!WARNING]
-> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux](linux-support-connectivity.md).
-
-## How to update Microsoft Defender for Endpoint for Linux
-
-Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Linux, refer to [Deploy updates for Microsoft Defender for Endpoint for Linux](linux-updates.md).
-
-## How to configure Microsoft Defender for Endpoint for Linux
-
-Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md).
-
-## Resources
-
-- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
deleted file mode 100644
index 9766c422da..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ /dev/null
@@ -1,154 +0,0 @@
----
-title: Microsoft Defender ATP for Mac
-ms.reviewer:
-description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-This topic describes how to install, configure, update, and use Defender for Endpoint for Mac.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
-
-## What’s new in the latest release
-
-[What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md)
-
-[What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md)
-
-> [!TIP]
-> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**.
-
-To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device.
-
-## How to install Microsoft Defender for Endpoint for Mac
-
-### Prerequisites
-
-- A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal
-- Beginner-level experience in macOS and BASH scripting
-- Administrative privileges on the device (in case of manual deployment)
-
-### Installation instructions
-
-There are several methods and deployment tools that you can use to install and configure Defender for Endpoint for Mac.
-
-- Third-party management tools:
- - [Microsoft Intune-based deployment](mac-install-with-intune.md)
- - [JAMF-based deployment](mac-install-with-jamf.md)
- - [Other MDM products](mac-install-with-other-mdm.md)
-
-- Command-line tool:
- - [Manual deployment](mac-install-manually.md)
-
-### System requirements
-
-The three most recent major releases of macOS are supported.
-
-> [!IMPORTANT]
-> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
-
-> [!IMPORTANT]
-> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
-
-- 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
-- Disk space: 1GB
-
-Beta versions of macOS are not supported.
-
-After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-### Licensing requirements
-
-Microsoft Defender for Endpoint for Mac requires one of the following Microsoft Volume Licensing offers:
-
-- Microsoft 365 E5 (M365 E5)
-- Microsoft 365 E5 Security
-- Microsoft 365 A5 (M365 A5)
-
-> [!NOTE]
-> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.
-> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
-
-### Network connections
-
-The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-
-
-
-|**Spreadsheet of domains list**|**Description**|
-|:-----|:-----|
-|
| Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
Download the spreadsheet here: [mdatp-urls.xlsx](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx).
-
-Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:
-- Proxy autoconfig (PAC)
-- Web Proxy Autodiscovery Protocol (WPAD)
-- Manual static proxy configuration
-
-If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
-
-> [!WARNING]
-> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
-
-If you prefer the command line, you can also check the connection by running the following command in Terminal:
-
-```bash
-curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to the following:
-
- `OK https://x.cp.wd.microsoft.com/api/report`
-
- `OK https://cdn.x.cp.wd.microsoft.com/ping`
-
-> [!CAUTION]
-> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
-
-Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
-```bash
-mdatp connectivity test
-```
-
-## How to update Microsoft Defender for Endpoint for Mac
-
-Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
-
-## How to configure Microsoft Defender for Endpoint for Mac
-
-Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
-
-## macOS kernel and system extensions
-
-In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. For relevant details, see [What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md).
-
-## Resources
-
-- For more information about logging, uninstalling, or other topics, see [Resources for Microsoft Defender for Endpoint for Mac](mac-resources.md).
-
-- [Privacy for Microsoft Defender for Endpoint for Mac](mac-privacy.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
deleted file mode 100644
index 87fcc676b4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Microsoft Defender Security Center
-description: Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection.
-keywords: windows, defender, security, center, defender, advanced, threat, protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
-
-## In this section
-
-Topic | Description
-:---|:---
-Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
-[Onboard devices](onboard-configure.md) | Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
-[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
-Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats.
-API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.
-Reporting | Create and build Power BI reports using Microsoft Defender for Endpoint data.
-Check service health and sensor state | Verify that the service is running and check the sensor state on devices.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
-[Access the Microsoft Defender for Endpoint Community Center](community.md) | Access the Microsoft Defender for Endpoint Community Center to learn, collaborate, and share experiences about the product.
-[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender for Endpoint service.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
deleted file mode 100644
index 12ad2b50bc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Microsoft Threat Experts
-ms.reviewer:
-description: Microsoft Threat Experts provides an additional layer of expertise to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts
-search.product: Windows 10
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Threat Experts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
-
-This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
-
-Watch this video for a quick overview of Microsoft Threat Experts.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B]
-
-
-## Before you begin
-> [!NOTE]
-> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-
-Microsoft Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
-
-## Targeted attack notification
-Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes:
-- Threat monitoring and analysis, reducing dwell time and risk to the business
-- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
-- Identifying the most important risks, helping SOCs maximize time and energy
-- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
-
-## Collaborate with experts, on demand
-Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
-
-- Get additional clarification on alerts including root cause or scope of the incident
-- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker
-- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
-- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary
-
-The option to **Consult a threat expert** is available in several places in the portal so you can engage with experts in the context of your investigation:
-
-- **Help and support menu**
-
-
-- **Device page actions menu**
-
-
-- **Alerts page actions menu**
-
-
-- **File page actions menu**
-
-
-> [!NOTE]
-> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
-
-Watch this video for a quick overview of the Microsoft Services Hub.
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
-
-
-## Related topic
-- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
deleted file mode 100644
index 5b18b5bad9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Migration guides to make the switch to Microsoft Defender for Endpoint
-description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint
-search.appverid: MET150
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-audience: ITPro
-ms.topic: conceptual
-ms.prod: m365-security
-ms.localizationpriority: medium
-ms.collection:
- - M365-security-compliance
- - m365solution-scenario
-ms.custom: migrationguides
-ms.reviewer: chriggs, depicker, yongrhee
-f1.keywords: NOCSH
-ms.date: 09/24/2020
-ms.technology: mde
----
-
-# Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## Migration guides
-
-If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
-
-|Scenario |Guidance |
-|:--|:--|
-|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
-|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
-|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
-|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) |
-|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
-|You've migrated to Microsoft Defender for Endpoint & Microsoft Defender Antivirus, and you need help with next steps, such as configuring additional features or fine-tuning your security settings. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
-
-
-## Got feedback?
-
-Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
-
-## See also
-
-- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection)
-- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
-- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
deleted file mode 100644
index f7623205a3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ /dev/null
@@ -1,216 +0,0 @@
----
-title: Minimum requirements for Microsoft Defender for Endpoint
-description: Understand the licensing requirements and requirements for onboarding devices to the service
-keywords: minimum requirements, licensing, comparison table
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Minimum requirements for Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
-
-> [!TIP]
-> - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
-> - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-## Licensing requirements
-Microsoft Defender for Endpoint requires one of the following Microsoft volume licensing offers:
-
-- Windows 10 Enterprise E5
-- Windows 10 Education A5
-- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
-- Microsoft 365 A5 (M365 A5)
-- Microsoft 365 E5 Security
-- Microsoft 365 A5 Security
-- Microsoft Defender for Endpoint
-
-> [!NOTE]
-> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.
-> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP).
-
-Microsoft Defender for Endpoint for servers requires one of the following licensing options:
-
-- [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing)
-- Microsoft Defender for Endpoint for Server (one per covered server)
-
-> [!NOTE]
-> Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses:
->
-> * Microsoft Defender for Endpoint
-> * Windows E5/A5
-> * Microsoft 365 E5/A5
-> * Microsoft 365 E5/A5 Security
-
-For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions.
-
-For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
-
-For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf).
-
-## Browser requirements
-Access to Defender for Endpoint is done through a browser, supporting the following browsers:
-
-- Microsoft Edge
-- Internet Explorer version 11
-- Google Chrome
-
-> [!NOTE]
-> While other browsers might work, the mentioned browsers are the ones supported.
-
-
-## Hardware and software requirements
-
-### Supported Windows versions
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
-- Windows 8.1 Enterprise
-- Windows 8.1 Pro
-- Windows 10 Enterprise
-- [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows server
- - Windows Server 2008 R2 SP1
- - Windows Server 2012 R2
- - Windows Server 2016
- - Windows Server, version 1803 or later
- - Windows Server 2019
-- Windows Virtual Desktop
-
-Devices on your network must be running one of these editions.
-
-The hardware requirements for Defender for Endpoint on devices are the same for the supported editions.
-
-> [!NOTE]
-> Machines running mobile versions of Windows are not supported.
->
-> Virtual Machines running Windows 10 Enterprise 2016 LTSB (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
->
-> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later.
-
-
-### Other supported operating systems
-- Android
-- Linux
-- macOS
-
-> [!NOTE]
-> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Defender for Endpoint for the integration to work.
-
-
-
-### Network and data storage and configuration requirements
-When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
-
-> [!NOTE]
-> - You cannot change your data storage location after the first-time setup.
-> - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
-
-
-### Diagnostic data settings
-
-> [!NOTE]
-> Microsoft Defender for Endpoint doesn't require any specific diagnostic level as long as it's enabled.
-
-Make sure that the diagnostic data service is enabled on all the devices in your organization.
-By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
-
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
-
-1. Open an elevated command-line prompt on the device:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```console
- sc qc diagtrack
- ```
-
- If the service is enabled, then the result should look like the following screenshot:
-
- 
-
-
-You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.
-
-
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the endpoint:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```console
- sc config diagtrack start=auto
- ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
- ```console
- sc qc diagtrack
- ```
-
-
-#### Internet connectivity
-Internet connectivity on devices is required either directly or through proxy.
-
-The Defender for Endpoint sensor can utilize a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
-
-For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
-
-Before you onboard devices, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-
-
-## Microsoft Defender Antivirus configuration requirement
-The Defender for Endpoint agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-
-Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-
-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode.
-
-If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-> [!NOTE]
-> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
-
-
-## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
-If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
-
-If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
-
-
-## Related topics
-- [Validate licensing and complete setup](licensing.md)
-- [Onboard devices](onboard-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
deleted file mode 100644
index 31f6d2de46..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Supported managed security service providers
-description: See the list of MSSPs that Microsoft Defender ATP integrates with
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Supported managed security service providers
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Logo |Partner name | Description
-:---|:---|:---
-| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
-| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender for Endpoint provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
-| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
-| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
-| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
-| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability
-| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days
-| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
-| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
-| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
-| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
-| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Defender for Endpoint
-| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Defender for Endpoint service for monitoring & response
-| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
-
-## Related topics
-- [Configure managed service security provider integration](configure-mssp-support.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
deleted file mode 100644
index a1e10a6e12..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Managed security service provider (MSSP) partnership opportunities
-description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP)
-keywords: mssp, integration, managed, security, service, provider
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Managed security service provider partnership opportunities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
-
-
-To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Defender for Endpoint.
-
-
-Defender for Endpoint adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
-
-- Get access to MSSP customer's Microsoft Defender Security Center portal
-- Get email notifications, and
-- Fetch alerts through security information and event management (SIEM) tools
-
-
-## Related topic
-- [Configure managed security service provider integration](configure-mssp-support.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
deleted file mode 100644
index 29ed5acfbf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Use network protection to help prevent connections to bad sites
-description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
-keywords: Network protection, exploits, malicious website, ip, domain, domains
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Protect your network
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-
-Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-
-Network protection is supported beginning with Windows 10, version 1709.
-
-For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
-
-> [!TIP]
-> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Network protection works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
-
-## Requirements
-
-Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
-
-| Windows 10 version | Microsoft Defender Antivirus |
-|:---|:---|
-| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled |
-
-After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints.
-
-- .smartscreen.microsoft.com
-- .smartscreen-prod.microsoft.com
-
-## Review network protection events in the Microsoft Defender for Endpoint Security Center
-
-Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
-
-Here is an example query
-
-```kusto
-DeviceEvents
-| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
-```
-
-## Review network protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-
-1. [Copy the XML directly](event-views.md).
-
-2. Select **OK**.
-
-3. This will create a custom view that filters to only show the following events related to network protection:
-
- | Event ID | Description |
- |:---|:---|
- | 5007 | Event when settings are changed |
- | 1125 | Event when network protection fires in audit mode |
- | 1126 | Event when network protection fires in block mode |
-
-## Related articles
-
-- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
-
-- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
deleted file mode 100644
index 5cf235d1a4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Threat and vulnerability management
-description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: overview
-ms.technology: mde
----
-
-# Threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
-
-Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-
-Watch this video for a quick overview of threat and vulnerability management.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
-
-## Bridging the workflow gaps
-
-Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
-
-Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
-
-### Real-time discovery
-
-To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Defender for Endpoint sensors to reduce cumbersome network scans and IT overhead.
-
-It also provides:
-
-- **Real-time device inventory** - Devices onboarded to Defender for Endpoint automatically report and push vulnerability and security configuration data to the dashboard.
-- **Visibility into software and vulnerabilities** - Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
-- **Application runtime context** - Visibility on application usage patterns for better prioritization and decision-making.
-- **Configuration posture** - Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
-
-### Intelligence-driven prioritization
-
-Threat and vulnerability management helps customers prioritize and focus on the weaknesses that pose the most urgent and the highest risk to the organization. It fuses security recommendations with dynamic threat and business context:
-
-- **Exposing emerging attacks in the wild** - Dynamically aligns the prioritization of security recommendations. Threat and vulnerability management focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.
-- **Pinpointing active breaches** - Correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.
-- **Protecting high-value assets** - Identify the exposed devices with business-critical applications, confidential data, or high-value users.
-
-### Seamless remediation
-
-Threat and vulnerability management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-
-- **Remediation requests sent to IT** - Create a remediation task in Microsoft Intune from a specific security recommendation. We plan to expand this capability to other IT security management platforms.
-- **Alternate mitigations** - Gain insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
-- **Real-time remediation status** - Real-time monitoring of the status and progress of remediation activities across the organization.
-
-## Threat and vulnerability management walk-through
-
-Watch this video for a comprehensive walk-through of threat and vulnerability management.
-
->[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide]
-
-## Navigation pane
-
-Area | Description
-:---|:---
-**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint.
-[**Remediation**](tvm-remediation.md) | See remediation activities you've created and recommendation exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of vulnerable software in your organization, along with weakness and threat information.
-[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures (CVEs) in your organization.
-[**Event timeline**](threat-and-vuln-mgt-event-timeline.md) | View events that may impact your organization's risk.
-
-## APIs
-
-Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-
-See the following articles for related APIs:
-
-- [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
-- [Machine APIs](machine.md)
-- [Recommendation APIs](vulnerability.md)
-- [Score APIs](score.md)
-- [Software APIs](software.md)
-- [Vulnerability APIs](vulnerability.md)
-- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
-
-## See also
-
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
deleted file mode 100644
index 0b951d8070..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Microsoft Defender ATP for non-Windows platforms
-description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms
-keywords: non windows, mac, macos, linux, android
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-evalutatemtp
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint for non-Windows platforms
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Microsoft has been on a journey to extend its industry leading endpoint security
-capabilities beyond Windows and Windows Server to macOS, Linux, Android, and
-soon iOS.
-
-Organizations face threats across a variety of platforms and devices. Our teams
-have committed to building security solutions not just *for* Microsoft, but also
-*from* Microsoft to enable our customers to protect and secure their
-heterogenous environments. We're listening to customer feedback and partnering
-closely with our customers to build solutions that meet their needs.
-
-With Microsoft Defender for Endpoint, customers benefit from a unified view of all
-threats and alerts in the Microsoft Defender Security Center, across Windows and
-non-Windows platforms, enabling them to get a full picture of what's happening
-in their environment, which empowers them to more quickly assess and respond to
-threats.
-
-## Microsoft Defender for Endpoint on macOS
-
-Microsoft Defender for Endpoint on macOS offers antivirus and endpoint detection and response (EDR) capabilities for the three
-latest released versions of macOS. Customers can deploy and manage the solution
-through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
-applications on macOS, Microsoft Auto Update is used to manage Microsoft
-Defender for Endpoint on Mac updates. For information about the key features and
-benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
-
-For more details on how to get started, visit the Defender for Endpoint on macOS
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
-
-## Microsoft Defender for Endpoint on Linux
-
-Microsoft Defender for Endpoint on Linux offers preventative (AV) capabilities for Linux
-servers. This includes a full command line experience to configure and manage
-the agent, initiate scans, and manage threats. We support recent versions of the
-six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
-16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
-Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or
-using your existing Linux configuration management tool. For information about
-the key features and benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
-
-For more details on how to get started, visit the Microsoft Defender for Endpoint on
-Linux
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
-
-## Microsoft Defender for Endpoint on Android
-
-Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
-devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
-and Device Administrator modes are supported. On Android, we offer web
-protection, which includes anti-phishing, blocking of unsafe connections, and
-setting of custom indicators. The solution scans for malware and potentially
-unwanted applications (PUA) and offers additional breach prevention capabilities
-through integration with Microsoft Endpoint Manager and Conditional Access. For
-information about the key features and benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
-
-For more details on how to get started, visit the Microsoft Defender for Endpoint on
-Android
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
-
-## Microsoft Defender for Endpoint on iOS
-
-Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
-running iOS 11.0 and higher. Both Supervised and Unsupervised devices are supported.
-On iOS, we offer web protection which includes anti-phishing, blocking unsafe connections, and
-setting custom indicators. For more information about the key features and benefits,
-read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
-
-For more details on how to get started, visit the Microsoft Defender for Endpoint
-on iOS [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios).
-
-## Licensing requirements
-
-Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent
-devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud
-Solution Provider (CSP).
-
-Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone
-Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
-Security.
-
-Recently announced capabilities of Microsoft Defender for Endpoint for Android and iOS
-are included in the above mentioned offers as part of the five qualified
-devices for eligible licensed users.
-
-Defender for Endpoint on Linux is available through the Defender for Endpoint
-Server SKU that is available for both commercial and education customers.
-
-Please contact your account team or CSP for pricing and additional eligibility
-requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
deleted file mode 100644
index df8552d5a9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Offboard machine API
-description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Offboard machine API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Offboard device from Defender for Endpoint.
-
-
-## Limitations
- - Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Machine actions note](../../includes/machineactionsnote.md)]
-
->[!Note]
-> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
-> This API is not supported on MacOS or Linux devices.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Offboard | 'Offboard machine'
-Delegated (work or school account) | Machine.Offboard | 'Offboard machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to 'Global Admin' AD role
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
-```
-
-```json
-{
- "Comment": "Offboard machine by automation"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
deleted file mode 100644
index b34544a337..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Offboard devices from the Microsoft Defender ATP service
-description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender ATP service
-keywords: offboarding, microsoft defender advanced threat protection offboarding, windows atp offboarding
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Offboard devices from the Microsoft Defender for Endpoint service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- macOS
-- Linux
-- Windows Server 2012 R2
-- Windows Server 2016
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink)
-
-Follow the corresponding instructions depending on your preferred deployment method.
-
-## Offboard Windows 10 devices
-- [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script)
-- [Offboard devices using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy)
-- [Offboard devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools)
-
-## Offboard Servers
-- [Offboard servers](configure-server-endpoints.md#offboard-windows-servers)
-
-## Offboard non-Windows devices
-- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
-
->[!NOTE]
-> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
-> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md)
-> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state) or by [device tags](machine-tags.md) and [groups](machine-groups.md) etc.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
deleted file mode 100644
index 5e9181a051..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Onboard devices to the Microsoft Defender ATP service
-description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test.
-keywords: onboarding, microsoft defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Onboard devices to the Microsoft Defender for Endpoint service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
-
-In general, to onboard devices to the service:
-
-- Verify that the device fulfills the [minimum requirements](minimum-requirements.md)
-- Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
-- Use the appropriate management tool and deployment method for your devices
-- Run a detection test to verify that the devices are properly onboarded and reporting to the service
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
-
-## Onboarding tool options
-The following table lists the available tools based on the endpoint that you need to onboard.
-
-| Endpoint | Tool options |
-|--------------|------------------------------------------|
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md) |
-| **macOS** | [Local scripts](mac-install-manually.md)
[Microsoft Endpoint Manager](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
-
-
-
-## In this section
-Topic | Description
-:---|:---
-[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Defender for Endpoint.
-[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Defender for Endpoint service. Learn about the tools and methods you can use to configure devices in your enterprise.
-[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Defender for Endpoint
-[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
-[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
-[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Defender for Endpoint cloud service by configuring the proxy and Internet connectivity settings.
-[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
deleted file mode 100644
index bb6315accb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Onboard previous versions of Windows on Microsoft Defender ATP
-description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Onboard previous versions of Windows
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
-- Windows 8.1 Pro
-- Windows 8.1 Enterprise
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
->Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
-
-Defender for Endpoint extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
-
-To onboard down-level Windows client endpoints to Defender for Endpoint, you'll need to:
-- Configure and update System Center Endpoint Protection clients.
-- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Defender for Endpoint as instructed below.
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
-
-## Configure and update System Center Endpoint Protection clients
-> [!IMPORTANT]
-> This step is required only if your organization uses System Center Endpoint Protection (SCEP).
-
-Defender for Endpoint integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-
-The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
-- Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud)
-
-## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint
-
-### Before you begin
-Review the following details to verify minimum system requirements:
-- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- > [!NOTE]
- > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
-
-- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-
-- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-
- > [!NOTE]
- > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- > Don't install .NET Framework 4.0.x, since it will negate the above installation.
-
-- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
-
-
-
-1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
-
-2. Obtain the workspace ID:
- - In the Defender for Endpoint navigation pane, select **Settings > Device management > Onboarding**
- - Select **Windows 7 SP1 and 8.1** as the operating system
- - Copy the workspace ID and workspace key
-
-3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
- On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
- - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
-
- > [!NOTE]
- > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
-
-4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-### Configure proxy and Internet connectivity settings
-
-- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Defender for Endpoint service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-## Offboard client endpoints
-To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint.
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
deleted file mode 100644
index eefffe4525..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Onboard devices without Internet access to Microsoft Defender for Endpoint
-ms.reviewer:
-description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Onboard devices without Internet access to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-To onboard devices without Internet access, you'll need to take the following general steps:
-
-> [!IMPORTANT]
-> The steps below are applicable only to devices running previous versions of Windows such as:
-Windows Server 2016 and earlier or Windows 8.1 and earlier.
-
-> [!NOTE]
-> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 devices when configured via 'TelemetryProxyServer' registry or GPO.
-> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
-> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
-> - For more information about updating CTLs offline, see [Configure a file or web server to download the CTL files](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files).
-
-For more information about onboarding methods, see the following articles:
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
-- [Onboard servers to the Microsoft Defender for Endpoint service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
-- [Configure device proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
-
-## On-premise devices
-
-- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID
-
-- Offline devices in the same network of Azure Log Analytics
- - Configure MMA to point to:
- - Azure Log Analytics IP as a proxy
- - Defender for Endpoint workspace key & ID
-
-## Azure virtual machines
-- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
-
- - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID
- - Offline Azure VMs in the same network of OMS Gateway
- - Configure Azure Log Analytics IP as a proxy
- - Azure Log Analytics Workspace Key & ID
-
- - Azure Security Center (ASC)
- - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
- - [Threat Detection \> Allow Defender for Endpoint to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
-
- For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
deleted file mode 100644
index 8c0015c6fc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Configure and manage Microsoft Defender ATP capabilities
-ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, and next-generation protection
-keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Configure and manage Microsoft Defender for Endpoint capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Configure and manage all the Defender for Endpoint capabilities to get the best security protection for your organization.
-
-
-## In this section
-Topic | Description
-:---|:---
-[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
-[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Defender for Endpoint.
-[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others.
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
deleted file mode 100644
index aad57b1401..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
+++ /dev/null
@@ -1,405 +0,0 @@
----
-title: Onboarding using Microsoft Endpoint Configuration Manager
-description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager
-keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint configuration manager
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-endpointprotect
- - m365solution-scenario
-ms.topic: article
-ms.technology: mde
----
-
-# Onboarding using Microsoft Endpoint Configuration Manager
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
-This article is part of the Deployment guide and acts as an example onboarding method.
-
-In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture.
-
-
-*Diagram of environment architectures*
-
-
-While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md).
-
-
-
-This topic guides users in:
-- Step 1: Onboarding Windows devices to the service
-- Step 2: Configuring Defender for Endpoint capabilities
-
-This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Configuration Manager:
-- **Creating a collection in Microsoft Endpoint Configuration Manager**
-- **Configuring Microsoft Defender for Endpoint capabilities using Microsoft Endpoint Configuration Manager**
-
->[!NOTE]
->Only Windows devices are covered in this example deployment.
-
-
-
-
-## Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager
-
-### Collection creation
-To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
-deployment can target an existing collection or a new collection can be
-created for testing.
-
-Onboarding using tools such as Group policy or manual method does not install any agent on the system.
-
-Within the Microsoft Endpoint Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console.
-
-Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point.
-
-Follow the steps below to onboard endpoints using Microsoft Endpoint Configuration Manager.
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
-
- 
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
- 
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
- 
-
-4. Select **Add Rule** and choose **Query Rule**.
-
- 
-
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
- 
-
-6. Select **Criteria** and then choose the star icon.
-
- 
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
-
- 
-
-8. Select **Next** and **Close**.
-
- 
-
-9. Select **Next**.
-
- 
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
-
-
-## Step 2: Configure Microsoft Defender for Endpoint capabilities
-This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices:
-
-- [**Endpoint detection and response**](#endpoint-detection-and-response)
-- [**Next-generation protection**](#next-generation-protection)
-- [**Attack surface reduction**](#attack-surface-reduction)
-
-
-### Endpoint detection and response
-#### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
-
- 
-
-3. Select **Download package**.
-
- 
-
-4. Save the package to an accessible location.
-5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
- 
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
- 
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
- 
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Close** when the Wizard completes.
-
-16. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**.
-
- 
-
-17. On the right panel, select the previously created collection and click **OK**.
-
- 
-
-
-#### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
- 
-
-4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating
- Systems:
-
- - Server SKUs: Windows Server 2008 SP1 or Newer
-
- - Client SKUs: Windows 7 SP1 and later
-
- The MMA agent will need to be installed on Windows devices. To install the
- agent, some systems will need to download the [Update for customer experience
- and diagnostic
- telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- in order to collect the data with MMA. These system versions include but may not
- be limited to:
-
- - Windows 8.1
-
- - Windows 7
-
- - Windows Server 2016
-
- - Windows Server 2012 R2
-
- - Windows Server 2008 R2
-
- Specifically, for Windows 7 SP1, the following patches must be installed:
-
- - Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- - Install either [.NET Framework
- 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-### Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
- 
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
-
- 
-
- In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
- For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
-3. Right-click on the newly created antimalware policy and select **Deploy**.
-
- 
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-### Attack surface reduction
-The attack surface reduction pillar of Defender for Endpoint includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection.
-
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-
-2. Select **Attack Surface Reduction**.
-
-
-3. Set rules to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
- 
-
-
-5. Once the policy is created click **Close**.
-
- 
-
-
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured ASR rules in audit mode.
-
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to
-> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
-
-### Create a group
-
-1. Open the MEM portal.
-
-2. Open **Groups > New Group**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-3. Enter details and create a new group.
-
- > [!div class="mx-imgBorder"]
- > 
-
-4. Add your test user or device.
-
-5. From the **Groups > All groups** pane, open your new group.
-
-6. Select **Members > Add members**.
-
-7. Find your test user or device and select it.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. Your testing group now has a member to test.
-
-## Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities
-In the following section, you'll create a number of configuration policies.
-
-First is a configuration policy to select which groups of users or devices will
-be onboarded to Defender for Endpoint:
-
-- [Endpoint detection and response](#endpoint-detection-and-response)
-
-Then you will continue by creating several
-different types of endpoint security policies:
-
-- [Next-generation protection](#next-generation-protection)
-- [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules)
-
-### Endpoint detection and response
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Endpoint detection and response**. Click
- on **Create Profile**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
- and response > Create**.
-
-4. Enter a name and description, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. Select settings as required, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
- > [!NOTE]
- > In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender for Endpoint in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
- >
- > The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune:
- >
- > 
-
-6. Add scope tags if necessary, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. Review and accept, then select **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. You can view your completed policy.
-
- > [!div class="mx-imgBorder"]
- > 
-
-### Next-generation protection
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Antivirus > Create Policy**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
- Defender Antivirus > Create**.
-
-4. Enter name and description, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. In the **Configuration settings page**: Set the configurations you require for
- Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
- Protection, and Remediation).
-
- > [!div class="mx-imgBorder"]
- > 
-
-6. Add scope tags if necessary, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Select groups to include, assign to your test group, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. Review and create, then select **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. You'll see the configuration policy you created.
-
- > [!div class="mx-imgBorder"]
- > 
-
-### Attack Surface Reduction – Attack surface reduction rules
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Attack surface reduction**.
-
-3. Select **Create Policy**.
-
-4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
- rules > Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. Enter a name and description, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-6. In the **Configuration settings page**: Set the configurations you require for
- Attack surface reduction rules, then select **Next**.
-
- > [!NOTE]
- > We will be configuring all of the Attack surface reduction rules to Audit.
- >
- > For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Add Scope Tags as required, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. Select groups to include and assign to test group, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. Review the details, then select **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-10. View the policy.
-
- > [!div class="mx-imgBorder"]
- > 
-
-### Attack Surface Reduction – Web Protection
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Attack surface reduction**.
-
-3. Select **Create Policy**.
-
-4. Select **Windows 10 and Later – Web protection > Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. Enter a name and description, then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-6. In the **Configuration settings page**: Set the configurations you require for
- Web Protection, then select **Next**.
-
- > [!NOTE]
- > We are configuring Web Protection to Block.
- >
- > For more information, see [Web Protection](web-protection-overview.md).
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Add **Scope Tags as required > Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. Select **Assign to test group > Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. Select **Review and Create > Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-10. View the policy.
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Validate configuration settings
-
-
-### Confirm Policies have been applied
-
-
-Once the Configuration policy has been assigned, it will take some time to apply.
-
-For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
-
-1. Open the MEM portal and navigate to the relevant policy as shown in the
- steps above. The following example shows the next generation protection settings.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox)
-
-2. Select the **Configuration Policy** to view the policy status.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox)
-
-3. Select **Device Status** to see the status.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox)
-
-4. Select **User Status** to see the status.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/4e965749ff71178af8873bc91f9fe525.png#lightbox)
-
-5. Select **Per-setting status** to see the status.
-
- >[!TIP]
- >This view is very useful to identify any settings that conflict with another policy.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox)
-
-### Endpoint detection and response
-
-
-1. Before applying the configuration, the Defender for Endpoint
- Protection service should not be started.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox)
-
-2. After the configuration has been applied, the Defender for Endpoint
- Protection Service should be started.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/a621b699899f1b41db211170074ea59e.png#lightbox)
-
-3. After the services are running on the device, the device appears in Microsoft
- Defender Security Center.
-
- > [!div class="mx-imgBorder"]
- > [  ](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox)
-
-### Next-generation protection
-
-1. Before applying the policy on a test device, you should be able to manually
- manage the settings as shown below.
-
- > [!div class="mx-imgBorder"]
- > 
-
-2. After the policy has been applied, you should not be able to manually manage
- the settings.
-
- > [!NOTE]
- > In the following image **Turn on cloud-delivered protection** and
- > **Turn on real-time protection** are being shown as managed.
-
- > [!div class="mx-imgBorder"]
- > 
-
-### Attack Surface Reduction – Attack surface reduction rules
-
-
-1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
-
-2. This should respond with the following lines with no content:
-
- > AttackSurfaceReductionOnlyExclusions:
- >
- > AttackSurfaceReductionRules_Actions:
- >
- > AttackSurfaceReductionRules_Ids:
-
- 
-
-3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
-
-4. This should respond with the following lines with content as shown below:
-
- 
-
-### Attack Surface Reduction – Web Protection
-
-1. On the test device, open a PowerShell Windows and type
- `(Get-MpPreference).EnableNetworkProtection`.
-
-2. This should respond with a 0 as shown below.
-
- 
-
-3. After applying the policy, open a PowerShell Windows and type
- `(Get-MpPreference).EnableNetworkProtection`.
-
-4. This should respond with a 1 as shown below.
-
- 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
deleted file mode 100644
index 7c5d617346..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: Create an onboarding or offboarding notification rule
-description: Get a notification when a local onboarding or offboarding script is used.
-keywords: onboarding, offboarding, local, script, notification, rule
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create a notification rule when a local onboarding or offboarding script is used
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
-
-## Before you begin
-You'll need to have access to:
- - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
- - Azure Table or SharePoint List or Library / SQL DB
-
-## Create the notification flow
-
-1. In [flow.microsoft.com](https://flow.microsoft.com/).
-
-2. Navigate to **My flows > New > Scheduled - from blank**.
-
- 
-
-
-3. Build a scheduled flow.
- 1. Enter a flow name.
- 2. Specify the start and time.
- 3. Specify the frequency. For example, every 5 minutes.
-
- 
-
-4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
-
- 
-
-
-5. Enter the following HTTP fields:
-
- - Method: "GET" as a value to get the list of devices.
- - URI: Enter `https://api.securitycenter.microsoft.com/api/machines`.
- - Authentication: Select "Active Directory OAuth".
- - Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
- - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
- - Client ID: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
- - Credential Type: Select "Secret".
- - Secret: Sign-in to https://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
-
- 
-
-
-6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
-**Parse JSON**.
-
- 
-
-7. Add Body in the **Content** field.
-
- 
-
-8. Select the **Use sample payload to generate schema** link.
-
- 
-
-9. Copy and paste the following JSON snippet:
-
- ```
- {
- "type": "object",
- "properties": {
- "@@odata.context": {
- "type": "string"
- },
- "value": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "id": {
- "type": "string"
- },
- "computerDnsName": {
- "type": "string"
- },
- "firstSeen": {
- "type": "string"
- },
- "lastSeen": {
- "type": "string"
- },
- "osPlatform": {
- "type": "string"
- },
- "osVersion": {},
- "lastIpAddress": {
- "type": "string"
- },
- "lastExternalIpAddress": {
- "type": "string"
- },
- "agentVersion": {
- "type": "string"
- },
- "osBuild": {
- "type": "integer"
- },
- "healthStatus": {
- "type": "string"
- },
- "riskScore": {
- "type": "string"
- },
- "exposureScore": {
- "type": "string"
- },
- "aadDeviceId": {},
- "machineTags": {
- "type": "array"
- }
- },
- "required": [
- "id",
- "computerDnsName",
- "firstSeen",
- "lastSeen",
- "osPlatform",
- "osVersion",
- "lastIpAddress",
- "lastExternalIpAddress",
- "agentVersion",
- "osBuild",
- "healthStatus",
- "rbacGroupId",
- "rbacGroupName",
- "riskScore",
- "exposureScore",
- "aadDeviceId",
- "machineTags"
- ]
- }
- }
- }
- }
-
- ```
-
-10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example:
-- If yes, no notification will be triggered
-- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin
-
- 
-
- 
-
-11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
-
- 
- 
- 
- 
-
-## Alert notification
-The following image is an example of an email notification.
-
-
-
-
-## Tips
-
-- You can filter here using lastSeen only:
- - Every 60 min:
- - Take all devices last seen in the past 7 days.
-
-- For each device:
- - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
- - If first seen is on the past hour -> Alert for onboarding.
-
-In this solution you will not have duplicate alerts:
-There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging.
-
-You can split it to two queries:
-1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
-2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
deleted file mode 100644
index e990c35bcf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Onboard to the Microsoft Defender ATP service
-description: Learn how to onboard endpoints to Microsoft Defender ATP service
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-endpointprotect
- - m365solution-scenario
-ms.topic: article
-ms.technology: mde
----
-
-# Onboard to the Microsoft Defender for Endpoint service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution.
-
-Deploying Defender for Endpoint is a three-phase process:
-
-| [](prepare-deployment.md)
[Phase 1: Prepare](prepare-deployment.md) | [](production-deployment.md)
[Phase 2: Setup](production-deployment.md) | 
Phase 3: Onboard |
-| ----- | ----- | ----- |
-| | |*You are here!*|
-
-You are currently in the onboarding phase.
-
-These are the steps you need to take to deploy Defender for Endpoint:
-
-- Step 1: Onboard endpoints to the service
-- Step 2: Configure capabilities
-
-## Step 1: Onboard endpoints using any of the supported management tools
-The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
-
-
-Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
-
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
-
-
-
-After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
-
-### Onboarding tool options
-
-The following table lists the available tools based on the endpoint that you need to onboard.
-
-| Endpoint | Tool options |
-|--------------|------------------------------------------|
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md) |
-| **macOS** | [Local scripts](mac-install-manually.md)
[Microsoft Endpoint Manager](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
-
-## Step 2: Configure capabilities
-After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
-
-
-## Example deployments
-In this deployment guide, we'll guide you through using two deployment tools to onboard endpoints and how to configure capabilities.
-
-The tools in the example deployments are:
-- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
-- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
-
-Using the mentioned deployment tools above, you'll then be guided in configuring the following Defender for Endpoint capabilities:
-- Endpoint detection and response configuration
-- Next-generation protection configuration
-- Attack surface reduction configuration
-
-## Related topics
-- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
-- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
deleted file mode 100644
index 60083b17cd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Overview of attack surface reduction
-ms.reviewer:
-description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP.
-keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.custom: asr
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Overview of attack surface reduction
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
-
-
-Article | Description
--|-
-[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus).
-[Hardware-based isolation](../microsoft-defender-application-guard/md-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
-[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
-[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
-[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus)
-[Web protection](./web-protection-overview.md) | Secure your devices against web threats and help you regulate unwanted content.
-[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus)
-[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
-[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
deleted file mode 100644
index 2a4e3f129e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Overview of custom detections in Microsoft Defender ATP
-ms.reviewer:
-description: Understand how you can use advanced hunting to create custom detections and generate alerts
-keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Custom detections overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-
-Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Custom detections provide:
-- Alerts for rule-based detections built from advanced hunting queries
-- Automatic response actions that apply to files and devices
-
-## Related topics
-- [Create detection rules](custom-detection-rules.md)
-- [View and manage detection rules](custom-detections-manage.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
deleted file mode 100644
index 0441772cda..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Overview of endpoint detection and response capabilities
-ms.reviewer:
-description: Learn about the endpoint detection and response capabilities in Microsoft Defender ATP
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Overview of endpoint detection and response
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
-
-When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5]
-
-Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors.
-
-The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
-
-
-## Related topics
-- [Security operations dashboard](security-operations-dashboard.md)
-- [Incidents queue](view-incidents-queue.md)
-- [Alerts queue](alerts-queue.md)
-- [Devices list](machines-view-overview.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
deleted file mode 100644
index 0e43599b7f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Hardware-based isolation (Windows 10)
-ms.reviewer:
-description: Learn about how hardware-based isolation in Windows 10 helps to combat malware.
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.author: macapara
-ms.date: 09/07/2018
-ms.technology: mde
----
-
-# Hardware-based isolation in Windows 10
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender for Endpoint.
-
-| Feature | Description |
-|------------|-------------|
-| [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
-| [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
deleted file mode 100644
index d4b17c7972..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: Partner applications in Microsoft Defender ATP
-ms.reviewer:
-description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform
-keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Partner applications in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-
-
-The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling security teams to effectively respond better to modern threats.
-
-Microsoft Defender for Endpoint seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
-
-- SIEM
-- Ticketing and IT service management solutions
-- Managed security service providers (MSSP)
-- IoC indicators ingestions and matching
-- Automated device investigation and remediation based on external alerts
-- Integration with Security orchestration and automation response (SOAR) systems
-
-## Supported applications
-
-
-### Security information and analytics
-
-Logo |Partner name | Description
-:---|:---|:---
-| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
-| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel
- | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions
- | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
- | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint
- | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Defender for Endpoint detections
- | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Defender for Endpoint Alerts to RSA NetWitness leveraging Microsoft Graph Security API
- | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations
- | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities
- | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
- | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
-
-### Orchestration and automation
-
-
-Logo |Partner name | Description
-:---|:---|:---
- | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks
- | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye.
- | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
- | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
- | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes
- | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
- | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together
-
-
-### Threat intelligence
-
-Logo |Partner name | Description
-:---|:---|:---
- | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment
- | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld
- | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators
-
-
-
-### Network security
-Logo |Partner name | Description
-:---|:---|:---
- | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network
- | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
- | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
- |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
-
-
-### Cross platform
-Logo |Partner name | Description
-:---|:---|:---
-| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
- | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
-| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
-| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
- | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
-| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense
-
-
-## Additional integrations
-Logo |Partner name | Description
-:---|:---|:---
-| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Defender for Endpoint with advanced Web Filtering
-| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
-| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
-
-
-
-
-## SIEM integration
-Defender for Endpoint supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
-
-## Ticketing and IT service management
-Ticketing solution integration helps to implement manual and automatic response processes. Defender for Endpoint can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
-
-## Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
-
-## External alert correlation and Automated investigation and remediation
-Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale.
-
-Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-
-External alerts can be pushed into Defender for Endpoint and is presented side by side with additional device-based alerts from Defender for Endpoint. This view provides a full context of the alert — with the real process and the full story of attack.
-
-## Indicators matching
-You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
-
-Defender for Endpoint allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match.
-
-Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
-
-## Support for non-Windows platforms
-Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
deleted file mode 100644
index 5aae40dce1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Microsoft Defender ATP partner opportunities and scenarios
-ms.reviewer:
-description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP
-keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint partner opportunities and scenarios
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Defender for Endpoint.
-
-The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Defender for Endpoint.
-
-
-## Scenario 1: External alert correlation and Automated investigation and remediation
-Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale.
-
-Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-
-Defender for Endpoint adds support for this scenario in the following forms:
-
-- External alerts can be pushed into Defender for Endpoint and presented side by side with additional device-based alerts from Defender for Endpoint. This view provides the full context of the alert - with the real process and the full story of attack.
-
-- Once an alert is generated, the signal is shared across all Defender for Endpoint protected endpoints in the enterprise. Defender for Endpoint takes immediate automated or operator-assisted response to address the alert.
-
-## Scenario 2: Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
-
-## Scenario 3: Indicators matching
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Defender for Endpoint and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
-
-The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios.
-
-Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-started-partner-integration.md) to integrate your solution in Defender for Endpoint.
-
-## Related topic
-- [Overview of management and APIs](management-apis.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
deleted file mode 100644
index 302c9405a3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: Microsoft Defender Advanced Threat Protection portal overview
-description: Microsoft Defender Security Center can monitor your enterprise network and assist in responding to potential advanced persistent threats (APT) or data breaches.
-keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender Security Center portal overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
-
-You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
-
-- View, sort, and triage alerts from your endpoints
-- Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender for Endpoint settings, including time zone and review licensing information
-
-## Microsoft Defender Security Center
-
-When you open the portal, you'll see:
-
-- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
-- (2) Search, Community center, Localization, Help and support, Feedback
-
- 
-
-> [!NOTE]
-> Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
-
-Area | Description
-:---|:---
-**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
-**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
-**Incidents** | View alerts that have been aggregated as incidents.
-**Devices list** | Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
-**Alerts queue** | View alerts generated from devices in your organizations.
-**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
-**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
-**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
-**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
-**Service health** | Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
-**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
-
-> [!NOTE]
-> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
-
-## Microsoft Defender for Endpoint icons
-
-The following table provides information on the icons used all throughout the portal:
-
-Icon | Description
-:---|:---
-| Microsoft Defender for Endpoint logo
-| Alert – Indication of an activity correlated with advanced attacks.
-| Detection – Indication of a malware threat detection.
-| Active threat – Threats actively executing at the time of detection.
-| Remediated – Threat removed from the device.
-| Not remediated – Threat not removed from the device.
-| Indicates events that triggered an alert in the **Alert process tree**.
-| Device icon
-| Microsoft Defender Antivirus events
-| Windows Defender Application Guard events
-| Windows Defender Device Guard events
-| Windows Defender Exploit Guard events
-| Windows Defender SmartScreen events
-| Windows Firewall events
-| Response action
-| Process events
-| Network events
-| File events
-| Registry events
-| Load DLL events
-| Other events
-| Access token modification
-| File creation
-| Signer
-| File path
-| Command line
-| Unsigned file
-| Process tree
-| Memory allocation
-| Process injection
-| Powershell command run
- | Community center
- | Notifications
- | Automated investigation - no threats found
- | Automated investigation - failed
- | Automated investigation - partially investigated
- | Automated investigation - terminated by system
- | Automated investigation - pending
- | Automated investigation - running
- | Automated investigation - remediated
- | Automated investigation - partially remediated
- | Threat & Vulnerability Management - threat insights
- | Threat & Vulnerability Management - possible active alert
- | Threat & Vulnerability Management - recommendation insights
-
-## Related topics
-
-- [Overview of Microsoft Defender Security Center](use.md)
-- [View the Security operations dashboard](security-operations-dashboard.md)
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
deleted file mode 100644
index f019e3a9d3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Submit or Update Indicator API
-description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, submit, ti, indicator, update
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Submit or Update Indicator API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Submits or Updates new [Indicator](ti-indicator.md) entity.
-
CIDR notation for IPs is not supported.
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-2. There is a limit of 15,000 active indicators per tenant.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/indicators
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-application | String | The application associated with the indicator. **Optional**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-
-
-## Response
-- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body.
-- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/indicators
-```
-
-```json
-{
- "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "title": "test",
- "application": "demo-test",
- "expirationTime": "2020-12-12T00:00:00Z",
- "action": "AlertAndBlock",
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "nothing",
- "rbacGroupNames": ["group1", "group2"]
-}
-```
-
-## Related topic
-- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
deleted file mode 100644
index aba7dce04f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Configure Microsoft Defender Security Center settings
-description: Use the settings page to configure general settings, permissions, apis, and rules.
-keywords: settings, general settings, permissions, apis, rules
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Configure Microsoft Defender Security Center settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
-
-Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
-
-## In this section
-
-Topic | Description
-:---|:---
-General settings | Modify your general settings that were previously defined as part of the onboarding process.
-Permissions | Manage portal access using RBAC as well as device groups.
-APIs | Enable the threat intel and SIEM integration.
-Rules | Configure suppressions rules and automation settings.
-Device management | Onboard and offboard devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
deleted file mode 100644
index c39bab20ac..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-title: Prepare Microsoft Defender ATP deployment
-description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
-keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-endpointprotect
- - m365solution-scenario
-ms.topic: article
-ms.technology: mde
----
-
-# Prepare Microsoft Defender for Endpoint deployment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
-
-Deploying Defender for Endpoint is a three-phase process:
-
-| 
Phase 1: Prepare | [](production-deployment.md)
[Phase 2: Setup](production-deployment.md) | [](onboarding.md)
[Phase 3: Onboard](onboarding.md) |
-| ----- | ----- | ----- |
-|*You are here!* | ||
-
-
-You are currently in the preparation phase.
-
-
-Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Defender for Endpoint.
-
-
-## Stakeholders and approval
-The following section serves to identify all the stakeholders that are involved
-in the project and need to approve, review, or stay informed.
-
-Add stakeholders
-to the table below as appropriate for your organization.
-
-- SO = Approve project
-
-- R = Review this project and provide input
-
-- I = Informed of this project
-
-| Name | Role | Action |
-|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
-| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
-| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
-| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R |
-| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
-| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience, and overall usefulness of this change from a security operations perspective.* | I |
-
-
-## Environment
-
-
-This section is used to ensure your environment is deeply understood by the
-stakeholders, which will help identify potential dependencies and/or changes
-required in technologies or processes.
-
-| What | Description |
-|---------------------------------------|-------------|
-| Endpoint count | |
-| Server count | |
-| Management engine | |
-| CDOC distribution | |
-| Security information and event (SIEM) | |
-
-
-## Role-based access control
-
-Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Azure Active Directory. Microsoft recommends
-[review the different roles that are
-available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
-and choose the right one to solve your needs for each persona for this
-application. Some roles may need to be applied temporarily and removed after the
-deployment has been completed.
-
-| Personas | Roles | Azure AD Role (if necessary) | Assign to |
-|------------------------------|-------|-----------------------------|-----------|
-| Security Administrator | | | |
-| Security Analyst | | | |
-| Endpoint Administrator | | | |
-| Infrastructure Administrator | | | |
-| Business Owner/Stakeholder | | | |
-
-Microsoft recommends using [Privileged Identity
-Management](https://docs.microsoft.com/azure/active-directory/active-directory-privileged-identity-management-configure)
-to manage your roles to provide additional auditing, control, and access review
-for users with directory permissions.
-
-Defender for Endpoint supports two ways to manage permissions:
-
-- **Basic permissions management**: Set permissions to either full access or
- read-only. In the case of basic permissions management users with Global
- Administrator or Security Administrator role in Azure Active Directory have
- full access while the Security reader role has read-only access.
-
-- **Role-based access control (RBAC)**: Set granular permissions by defining
- roles, assigning Azure AD user groups to the roles, and granting the user
- groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
-
-Microsoft recommends leveraging RBAC to ensure that only users that have a
-business justification can access Defender for Endpoint.
-
-You can find details on permission guidelines
-[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
-
-The following example table serves to identify the Cyber Defense Operations
-Center structure in your environment that will help you determine the RBAC
-structure required for your environment.
-
-| Tier | Description | Permission Required |
-|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
-| Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions. | View data |
-| Tier 3 | **Global security operations team**
This team consists of security experts and is authorized to see and perform all actions from the portal. | View data
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings |
-
-
-
-## Adoption Order
-In many cases, organizations will have existing endpoint security products in
-place. The bare minimum every organization should have been an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
-
-Historically, replacing any security solution used to be time intensive and difficult
-to achieve due to the tight hooks into the application layer and infrastructure
-dependencies. However, because Defender for Endpoint is built into the
-operating system, replacing third-party solutions is now easy to achieve.
-
-Choose the component of Defender for Endpoint to be used and remove the ones
-that do not apply. The table below indicates the order Microsoft recommends for
-how the endpoint security suite should be enabled.
-
-| Component | Description | Adoption Order Rank |
-|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR) | Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
-|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
-| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
-| Auto Investigation & Remediation (AIR) | Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
-| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
-
-## Next step
-|||
-|:-------|:-----|
-|
[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender for Endpoint deployment
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
deleted file mode 100644
index f821f26626..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Turn on the preview experience in Microsoft Defender ATP
-description: Turn on the preview experience in Microsoft Defender Advanced Threat Protection to try upcoming features.
-keywords: advanced features, settings, block file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-# Turn on the preview experience in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
-
-Turn on the preview experience setting to be among the first to try upcoming features.
-
-1. In the navigation pane, select **Settings** > **Advanced features**.
-
- 
-
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
-## Related topics
-- [Update general settings in Microsoft Defender for Endpoint](data-retention-settings.md)
-- [Turn on advanced features in Microsoft Defender for Endpoint](advanced-features.md)
-- [Configure email notifications in Microsoft Defender for Endpoint](configure-email-notifications.md)
-- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
deleted file mode 100644
index 508d8c7ff6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Microsoft Defender ATP preview features
-description: Learn how to access Microsoft Defender Advanced Threat Protection preview features.
-keywords: preview, preview experience, Microsoft Defender Advanced Threat Protection, features, updates
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint preview features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->[!IMPORTANT]
->The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
-
-> [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
-
-Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
-
->[!TIP]
->Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
-
-For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md).
-
-## Turn on preview features
-
-You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available.
-
-Turn on the preview experience setting to be among the first to try upcoming features.
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
-## Preview features
-
-The following features are included in the preview release:
-
-- [Web Content Filtering](web-content-filtering.md)
Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-
-- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
-
-- [Information protection](information-protection-in-windows-overview.md)
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
-
- >[!NOTE]
- >Partially available from Windows 10, version 1809.
-
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-
-
-> [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
deleted file mode 100644
index b773ed3d47..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ /dev/null
@@ -1,252 +0,0 @@
----
-title: Set up Microsoft Defender ATP deployment
-description: Learn how to setup the deployment for Microsoft Defender ATP
-keywords: deploy, setup, licensing validation, tenant configuration, network configuration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-endpointprotect
- - m365solution-scenario
-ms.topic: article
-ms.technology: mde
----
-
-# Set up Microsoft Defender for Endpoint deployment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Deploying Defender for Endpoint is a three-phase process:
-
-| [](prepare-deployment.md)
[Phase 1: Prepare](prepare-deployment.md) | 
Phase 2: Setup | [](onboarding.md)
[Phase 3: Onboard](onboarding.md) |
-| ----- | ----- | ----- |
-| | *You are here!*||
-
-You are currently in the set-up phase.
-
-In this deployment scenario, you'll be guided through the steps on:
-- Licensing validation
-- Tenant configuration
-- Network configuration
-
-
->[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md).
-
-## Check license state
-
-Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
-
-1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
-
-1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
-
- On the screen, you will see all the provisioned licenses and their current **Status**.
-
- 
-
-
-## Cloud Service Provider validation
-
-To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
-
-1. From the **Partner portal**, select **Administer services > Office 365**.
-
-2. Clicking on the **Partner portal** link will open the **Admin on behalf** option and will give you access to the customer admin center.
-
- 
-
-
-
-## Tenant Configuration
-
-When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created. The easiest method is to perform these steps from a Windows 10 client device.
-
-1. From a web browser, navigate to
Suitable only for desktops in a
- stable topology (for example: a desktop in a corporate network behind the
- same proxy)
-
-### Configure the proxy server manually using a registry-based static proxy
-
-Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint
-sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint
-services if a computer is not permitted to connect to the Internet. The static
-proxy is configurable through Group Policy (GP). The group policy can be found
-under:
-
- - Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**
-
-1. Open the Group Policy Management Console.
-2. Create a policy or edit an existing policy based off the organizational practices.
-3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
- 
-
-4. Select **Enabled**.
-5. Select **Disable Authenticated Proxy usage**.
-
-6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
- 
-7. Select **Enabled**.
-8. Enter the **Proxy Server Name**.
-
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-
-The registry value `TelemetryProxyServer` takes the following string format:
-
-```text
-
| Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
-
-
-### Microsoft Defender for Endpoint service backend IP range
-
-If you network devices don't support the URLs listed in the prior section, you can use the following information.
-
-Defender for Endpoint is built on Azure cloud, deployed in the following regions:
-
-- \+\
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
deleted file mode 100644
index 49d143d897..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ /dev/null
@@ -1,334 +0,0 @@
----
-title: Pull Microsoft Defender for Endpoint detections using REST API
-description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API.
-keywords: detections, pull detections, rest api, request, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Pull Microsoft Defender for Endpoint detections using SIEM REST API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
->[!Note]
->- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-Microsoft Defender for Endpoint supports the OAuth 2.0 protocol to pull detections from the API.
-
-In general, the OAuth 2.0 protocol supports four types of flows:
-- Authorization grant flow
-- Implicit flow
-- Client credentials flow
-- Resource owner flow
-
-For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
-
-Microsoft Defender for Endpoint supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
-
-The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
-
-The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender for Endpoint endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
-
-Use the following method in the Microsoft Defender for Endpoint API to pull detections in JSON format.
-
->[!NOTE]
->Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
-
-## Before you begin
-- Before calling the Microsoft Defender for Endpoint endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md).
-
-- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- - Application ID (unique to your application)
- - App key, or secret (unique to your application)
- - Your app's OAuth 2.0 token endpoint
- - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
-
-## Get an access token
-Before creating calls to the endpoint, you'll need to get an access token.
-
-You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint.
-
-To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
-
-```http
-
-POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
-Host: login.microsoftonline.com
-Content-Type: application/x-www-form-urlencoded
-
-resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
-```
-The response will include an access token and expiry information.
-
-```json
-{
- "token_type": "Bearer",
- "expires_in": 3599,
- "ext_expires_in": 0,
- "expires_on": 1488720683,
- "not_before": 1488720683,
- "resource": "https://graph.windows.net",
- "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
-}
-```
-You can now use the value in the *access_token* field in a request to the Defender for Endpoint API.
-
-## Request
-With an access token, your app can make authenticated requests to the Microsoft Defender for Endpoint API. Your app must append the access token to the Authorization header of each request.
-
-### Request syntax
-Method | Request URI
-:---|:---|
-GET| Use the URI applicable for your region.
**For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
**For UK**: `https://wdatp-alertexporter-uk.windows.com/api/alerts`
-
-### Request header
-Header | Type | Description|
-:--|:--|:--
-Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. |
-
-### Request parameters
-
-Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours.
-
-Name | Value| Description
-:---|:---|:---
-sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
-untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
Example: `ago=PT10M` will pull alerts received in the last 10 minutes.
-limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | string | Specifies device groups to pull alerts from.
**NOTE**: When not specified, alerts from all device groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
-DeviceCreatedMachineTags | string | Single device tag from the registry.
-CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center.
-
-### Request example
-The following example demonstrates how to retrieve all the detections in your organization.
-
-```http
-GET https://wdatp-alertexporter-eu.windows.com/api/alerts
-Authorization: Bearer
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
-Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions.
-Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal.
-
-Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
-
-- **Control who can take specific action**
- - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
-
-- **Control who can see information on specific device group or groups**
- - [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.
-
-To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.
-
-
-### Before you begin
-Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.
-
-
-> [!WARNING]
-> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
-
-When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
-
-Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments
-
-> [!WARNING]
-> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
->
-> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.**
->
->Users with admin permissions are automatically assigned the default built-in Defender for Endpoint global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Defender for Endpoint global administrator role.
->
-> After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
-
-
-
-## Related topic
-- [Create and manage device groups in Microsoft Defender for Endpoint](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
deleted file mode 100644
index bd7d795620..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Recommendation resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
deleted file mode 100644
index 4040df0a11..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ /dev/null
@@ -1,301 +0,0 @@
----
-title: Take response actions on a file in Microsoft Defender ATP
-description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details.
-keywords: respond, stop and quarantine, block file, deep analysis
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Take response actions on a file
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
-
-Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-
-Response actions run along the top of the file page, and include:
-
-- Stop and Quarantine File
-- Add Indicator
-- Download file
-- Consult a threat expert
-- Action center
-
-You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
-
-Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
-
-| Permission | PE files | Non-PE files |
-| :--------------------- | :------: | :----------: |
-| View data | X | X |
-| Alerts investigation | ☑ | X |
-| Live response basic | X | X |
-| Live response advanced | ☑ | ☑ |
-
-For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
-
-
-## Stop and quarantine files in your network
-
-You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
-
-> [!IMPORTANT]
-> You can only take this action if:
->
-> - The device you're taking the action on is running Windows 10, version 1703 or later
-> - The file does not belong to trusted third-party publishers or not signed by Microsoft
-> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
-
-This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
-
-> [!NOTE]
-> You’ll be able to restore the file from quarantine at any time.
-
-### Stop and quarantine files
-
-1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
-
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select **File** from the drop–down menu and enter the file name
-
-
- > [!NOTE]
- > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
-
-2. Go to the top bar and select **Stop and Quarantine File**.
-
- 
-
-3. Specify a reason, then click **Confirm**.
-
- 
-
- The Action center shows the submission information:
-
- 
-
- - **Submission time** - Shows when the action was submitted.
- - **Success** - Shows the number of devices where the file has been stopped and quarantined.
- - **Failed** - Shows the number of devices where the action failed and details about the failure.
- - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
-
-4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
-
-**Notification on device user**:
-When the file is being removed from a device, the following notification is shown:
-
-
-
-In the device timeline, a new event is added for each device where a file was stopped and quarantined.
-
-For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
-
-## Restore file from quarantine
-
-You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each device where the file was quarantined.
-
-1. Open an elevated command–line prompt on the device:
-
- 1. Go to **Start** and type _cmd_.
-
- 1. Right–click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```powershell
- “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
- ```
-
-> [!NOTE]
-> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
->
-> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
-
-> [!IMPORTANT]
-> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
-
-## Add indicator to block or allow a file
-
-You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
-
-> [!IMPORTANT]
->
-> - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
->
-> - The Antimalware client version must be 4.18.1901.x or later.
-> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
-> - This response action is available for devices on Windows 10, version 1703 or later.
-> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
-
-> [!NOTE]
-> The PE file needs to be in the device timeline for you to be able to take this action.
->
-> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
-
-### Enable the block file feature
-
-To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-
-### Allow or block file
-
-When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
-
-Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
-
-See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
-
-To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
-
-You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
-
-## Download or collect file
-
-Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
-
-
-
-When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
-
-
-
-If a file is not already stored by Defender for Endpoint, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
-
-## Consult a threat expert
-
-You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details:
-
-- Investigation package collection
-- Antivirus scan
-- App restriction
-- Device isolation
-
-All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
-
-
-
-
-## Deep analysis
-
-Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
-
-The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
-Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-
-Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
-
-The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
-
-Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
-
-**Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
-
-> [!NOTE]
-> Only files from Windows 10 can be automatically collected.
-
-You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
-
-> [!NOTE]
-> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
-
-When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
-
-#### Submit files for deep analysis
-
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
-
- - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
- - **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section
- - Search box - select **File** from the drop–down menu and enter the file name
-
-2. In the **Deep analysis** tab of the file view, click **Submit**.
-
- 
-
- > [!NOTE]
- > Only PE files are supported, including _.exe_ and _.dll_ files.
-
-A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
-
-> [!NOTE]
-> Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-
-#### View deep analysis reports
-
-View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
-
-You can view the comprehensive report that provides details on the following sections:
-
-- Behaviors
-- Observables
-
-The details provided can help you investigate if there are indications of a potential attack.
-
-1. Select the file you submitted for deep analysis.
-2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
-
- 
-
-#### Troubleshoot deep analysis
-
-If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
-
-1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-
-1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-
-1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-
-1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
-
- ```powershell
- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- Name: AllowSampleCollection
- Type: DWORD
- Hexadecimal value :
- Value = 0 – block sample collection
- Value = 1 – allow sample collection
- ```
-
-1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
-
-1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-
-## Related topics
-
-- [Take response actions on a device](respond-machine-alerts.md)
-- [Investigate files](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
deleted file mode 100644
index 43c6ea2779..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ /dev/null
@@ -1,208 +0,0 @@
----
-title: Take response actions on a device in Microsoft Defender ATP
-description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution.
-keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Take response actions on a device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
-
-Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center.
-
-Response actions run along the top of a specific device page and include:
-
-- Manage tags
-- Initiate Automated Investigation
-- Initiate Live Response Session
-- Collect investigation package
-- Run antivirus scan
-- Restrict app execution
-- Isolate device
-- Consult a threat expert
-- Action center
-
-[  ](images/response-actions.png#lightbox)
-
- You can find device pages from any of the following views:
-
-- **Security operations dashboard** - Select a device name from the Devices at risk card.
-- **Alerts queue** - Select the device name beside the device icon from the alerts queue.
-- **Devices list** - Select the heading of the device name from the devices list.
-- **Search box** - Select Device from the drop-down menu and enter the device name.
-
->[!IMPORTANT]
-> - These response actions are only available for devices on Windows 10, version 1703 or later.
-> - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities.
-
-## Manage tags
-
-Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
-
-For more information on device tagging, see [Create and manage device tags](machine-tags.md).
-
-## Initiate Automated Investigation
-
-You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-
-For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-
-## Initiate Live Response Session
-
-Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.
-
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-
-For more information on live response, see [Investigate entities on devices using live response](live-response.md).
-
-## Collect investigation package from devices
-
-As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
-
-To download the package (Zip file) and investigate the events that occurred on a device
-
-1. Select **Collect investigation package** from the row of response actions at the top of the device page.
-2. Specify in the text box why you want to perform this action. Select **Confirm**.
-3. The zip file will download
-
-Alternate way:
-
-1. Select **Action center** from the response actions section of the device page.
-
- 
-
-3. In the Action center fly-out, select **Package collection package available** to download the zip file.
-
- 
-
-The package contains the following folders:
-
-| Folder | Description |
-|:---|:---------|
-|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.
->If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
->For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
-
-## Restrict app execution
-
-In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-
->[!IMPORTANT]
-> - This action is available for devices on Windows 10, version 1709 or later.
-> - This feature is available if your organization uses Microsoft Defender Antivirus.
-> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
-
-To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.
-
->[!NOTE]
->You’ll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
-
-Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-
-
-
-**Notification on device user**:
-When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
-
-
-
-## Isolate devices from the network
-
-Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.
-
->[!IMPORTANT]
->- Full isolation is available for devices on Windows 10, version 1703.
->- Selective isolation is available for devices on Windows 10, version 1709 or later.
-
-This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.
-
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
-
->[!NOTE]
->You’ll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device.
-
-Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-
-
-
->[!NOTE]
->The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
-
-**Notification on device user**:
-When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
-
-
-
-## Consult a threat expert
-
-You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
-
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details:
-
-- Investigation package collection
-- Antivirus scan
-- App restriction
-- Device isolation
-
-All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
-
-
-
-## Related topic
-- [Take response actions on a file](respond-file-alerts.md)
-- [Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
deleted file mode 100644
index a78424ca79..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Restrict app execution API
-description: Use this API to create calls related to restricting an application from executing.
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Restrict app execution API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Restrict execution of all applications on the device except a predefined set.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.RestrictExecution | 'Restrict code execution'
-Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/restrictCodeExecution
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution
-```
-
-```json
-{
- "Comment": "Restrict code execution due to alert 1234"
-}
-
-```
-
-- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
deleted file mode 100644
index 3a560a21fe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Review alerts in Microsoft Defender Advanced Threat Protection
-description: Review alert information, including a visualized alert story and details for each step of the chain.
-keywords: incident, incidents, machines, devices, users, alerts, alert, investigation, graph, evidence
-ms.prod: m365-security
-ms.pagetype: security
-f1.keywords:
- - NOCSH
-ms.author: daniha
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.date: 5/1/2020
-ms.technology: mde
----
-
-# Review alerts in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
-
-The alert page in Microsoft Defender for Endpoint provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
-
-Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5]
-
-## Getting started with an alert
-
-Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
-
-1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
-2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
-3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
-4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
-
-
-
-Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
-Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
-
-
-
-Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details.
-
-## Review affected assets
-
-Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
-
-- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
-- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
-
- 
-
-
-## Related topics
-
-- [View and organize the incidents queue](view-incidents-queue.md)
-- [Investigate incidents](investigate-incidents.md)
-- [Manage incidents](manage-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
deleted file mode 100644
index 1f52029bfe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ /dev/null
@@ -1,146 +0,0 @@
----
-title: Advanced Hunting API
-ms.reviewer:
-description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Advanced hunting API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-## Limitations
-1. You can only run a query on data from the last 30 days.
-2. The results will include a maximum of 100,000 rows.
-3. The number of executions is limited per tenant:
- - API calls: Up to 45 calls per minute.
- - Execution time: 10 minutes of running time every hour and 3 hours of running time a day.
-4. The maximal execution time of a single request is 10 minutes.
-5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | AdvancedQuery.Read.All | 'Run advanced queries'
-Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have 'View Data' AD role
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content-Type | application/json
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Query | Text | The query to run. **Required**.
-
-## Response
-If successful, this method returns 200 OK, and _QueryResponse_ object in the response body.
-
-
-## Example
-
-Request
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
-```
-
-```json
-{
- "Query":"DeviceProcessEvents
- | where InitiatingProcessFileName =~ 'powershell.exe'
- | where ProcessCommandLine contains 'appdata'
- | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
- | limit 2"
-}
-```
-
-Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
-
-```json
-{
- "Schema": [
- {
- "Name": "Timestamp",
- "Type": "DateTime"
- },
- {
- "Name": "FileName",
- "Type": "String"
- },
- {
- "Name": "InitiatingProcessFileName",
- "Type": "String"
- },
- {
- "Name": "DeviceId",
- "Type": "String"
- }
- ],
- "Results": [
- {
- "Timestamp": "2020-02-05T01:10:26.2648757Z",
- "FileName": "csc.exe",
- "InitiatingProcessFileName": "powershell.exe",
- "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
- },
- {
- "Timestamp": "2020-02-05T01:10:26.5614772Z",
- "FileName": "csc.exe",
- "InitiatingProcessFileName": "powershell.exe",
- "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
- }
- ]
-}
-```
-
-## Related topic
-- [Microsoft Defender for Endpoint APIs introduction](apis-intro.md)
-- [Advanced Hunting from Portal](advanced-hunting-query-language.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
deleted file mode 100644
index 3435095384..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: Advanced Hunting with PowerShell API Basics
-ms.reviewer:
-description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Advanced Hunting using PowerShell
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
-
-In this section, we share PowerShell samples to retrieve a token and use it to run a query.
-
-## Before you begin
-You first need to [create an app](apis-intro.md).
-
-## Preparation instructions
-
-- Open a PowerShell window.
-- If your policy does not allow you to run the PowerShell commands, you can run the below command:
- ```
- Set-ExecutionPolicy -ExecutionPolicy Bypass
- ```
-
->For more information, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
-
-## Get token
-
-- Run the following:
-
-```
-$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
-$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
-$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
-
-$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
-$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
-$body = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
-$aadToken = $response.access_token
-```
-
-where
-- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
-- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Defender for Endpoint)
-- $appSecret: Secret of your Azure AD app
-
-## Run query
-
-Run the following query:
-
-```
-$query = 'RegistryEvents | limit 10' # Paste your own query here
-
-$url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"
-$headers = @{
- 'Content-Type' = 'application/json'
- Accept = 'application/json'
- Authorization = "Bearer $aadToken"
-}
-$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
-$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
-$response = $webResponse | ConvertFrom-Json
-$results = $response.Results
-$schema = $response.Schema
-```
-
-- $results contain the results of your query
-- $schema contains the schema of the results of your query
-
-### Complex queries
-
-If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
-
-```
-$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
-```
-
-## Work with query results
-
-You can now use the query results.
-
-To output the results of the query in CSV format in file file1.csv do the below:
-
-```
-$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
-```
-
-To output the results of the query in JSON format in file file1.json do the below:
-
-```
-$results | ConvertTo-Json | Set-Content file1.json
-```
-
-
-## Related topic
-- [Microsoft Defender for Endpoint APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
deleted file mode 100644
index db8dce54e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: Advanced Hunting with Python API Guide
-ms.reviewer:
-description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Advanced Hunting using Python
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
-
-In this section, we share Python samples to retrieve a token and use it to run a query.
-
->**Prerequisite**: You first need to [create an app](apis-intro.md).
-
-## Get token
-
-- Run the following commands:
-
-```
-
-import json
-import urllib.request
-import urllib.parse
-
-tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
-appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
-appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
-
-url = "https://login.microsoftonline.com/%s/oauth2/token" % (tenantId)
-
-resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
-
-body = {
- 'resource' : resourceAppIdUri,
- 'client_id' : appId,
- 'client_secret' : appSecret,
- 'grant_type' : 'client_credentials'
-}
-
-data = urllib.parse.urlencode(body).encode("utf-8")
-
-req = urllib.request.Request(url, data)
-response = urllib.request.urlopen(req)
-jsonResponse = json.loads(response.read())
-aadToken = jsonResponse["access_token"]
-
-```
-
-where
-- tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
-- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)
-- appSecret: Secret of your Azure AD app
-
-## Run query
-
- Run the following query:
-
-```
-query = 'RegistryEvents | limit 10' # Paste your own query here
-
-url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"
-headers = {
- 'Content-Type' : 'application/json',
- 'Accept' : 'application/json',
- 'Authorization' : "Bearer " + aadToken
-}
-
-data = json.dumps({ 'Query' : query }).encode("utf-8")
-
-req = urllib.request.Request(url, data, headers)
-response = urllib.request.urlopen(req)
-jsonResponse = json.loads(response.read())
-schema = jsonResponse["Schema"]
-results = jsonResponse["Results"]
-
-```
-
-- schema contains the schema of the results of your query
-- results contain the results of your query
-
-### Complex queries
-
-If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
-
-```
-queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
-query = queryFile.read()
-queryFile.close()
-```
-
-## Work with query results
-
-You can now use the query results.
-
-To iterate over the results do the below:
-
-```
-for result in results:
- print(result) # Prints the whole result
- print(result["EventTime"]) # Prints only the property 'EventTime' from the result
-
-
-```
-
-
-To output the results of the query in CSV format in file file1.csv do the below:
-
-```
-import csv
-
-outputFile = open("D:\\Temp\\file1.csv", 'w')
-output = csv.writer(outputFile)
-output.writerow(results[0].keys())
-for result in results:
- output.writerow(result.values())
-
-outputFile.close()
-```
-
-To output the results of the query in JSON format in file file1.json do the below:
-
-```
-outputFile = open("D:\\Temp\\file1.json", 'w')
-json.dump(results, outputFile)
-outputFile.close()
-```
-
-
-## Related topic
-- [Microsoft Defender for Endpoint APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
deleted file mode 100644
index 68a10a5e99..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Run antivirus scan API
-description: Use this API to create calls related to running an antivirus scan on a device.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Run antivirus scan API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Initiate Microsoft Defender Antivirus scan on a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Scan | 'Scan machine'
-Delegated (work or school account) | Machine.Scan | 'Scan machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-ScanType| String | Defines the type of the Scan. **Required**.
-
-**ScanType** controls the type of scan to perform and can be one of the following:
-
-- **Quick** – Perform quick scan on the device
-- **Full** – Perform full scan on the device
-
-
-
-## Response
-If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
-```
-
-```json
-{
- "Comment": "Check machine for viruses due to alert 3212",
- "ScanType": "Full"
-}
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
deleted file mode 100644
index 278c62f37e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Run a detection test on a newly onboarded Microsoft Defender ATP device
-description: Run the detection script on a newly onboarded device to verify that it is properly onboarded to the Microsoft Defender ATP service.
-keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender advanced threat protection onboarding, clients, servers, test
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Supported Windows 10 versions
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server, 2019
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
-
-1. Create a folder: 'C:\test-MDATP-test'.
-2. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command Prompt** and select **Run as administrator**.
-
- 
-
-3. At the prompt, copy and run the following command:
-
- ```powershell
- powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
- ```
-
-The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes.
-
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Onboard servers](configure-server-endpoints.md)
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
deleted file mode 100644
index 16a1f602bb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Score resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
deleted file mode 100644
index 4215777b33..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-title: Microsoft Defender Security Center Security operations dashboard
-description: Use the dashboard to identify devices at risk, keep track of the status of the service, and see statistics and information about devices and alerts.
-keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender Security Center Security operations dashboard
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
-
-The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed.
-
-The dashboard displays a snapshot of:
-
-- Active alerts
-- Devices at risk
-- Sensor health
-- Service health
-- Daily devices reporting
-- Active automated investigations
-- Automated investigations statistics
-- Users at risk
-- Suspicious activities
-
-
-
-
-You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
-
-From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a device. You can also drill down into granular events and low-level indicators.
-
-It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
-
-## Active alerts
-You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into **New** and **In progress**.
-
-
-
-Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
-
-For more information see, [Alerts overview](alerts-queue.md).
-
-Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md).
-
-
-## Devices at risk
-This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-
-
-
-Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
-
-You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md).
-
-## Devices with sensor issues
-The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices.
-
-
-
-There are two status indicators that provide information on the number of devices that are not reporting properly to the service:
-- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender for Endpoint service and might have configuration errors that need to be corrected.
-- **Inactive** - Devices that have stopped reporting to the Microsoft Defender for Endpoint service for more than seven days in the past month.
-
-When you click any of the groups, you’ll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md).
-
-## Service health
-The **Service health** tile informs you if the service is active or if there are issues.
-
-
-
-For more information on the service health, see [Check the Microsoft Defender for Endpoint service health](service-status.md).
-
-
-## Daily devices reporting
-The **Daily devices reporting** tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day.
-
-
-
-
-## Active automated investigations
-You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for device**, and **Running**.
-
-
-
-
-## Automated investigations statistics
-This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
-
-
-
-You can click on **Automated investigations**, **Remediated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
-
-## Users at risk
-The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.
-
-
-
-Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
-
-## Related topics
-- [Understand the Microsoft Defender for Endpoint portal](use.md)
-- [Portal overview](portal-overview.md)
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
deleted file mode 100644
index e4c2b710e3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Check the Microsoft Defender ATP service health
-description: Check Microsoft Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved.
-keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Check the Microsoft Defender for Endpoint service health
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-
-**Service health** provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
-
-You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
-
-You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane.
-
-The **Service health** details page has the following tabs:
-
-- **Current status**
-- **Status history**
-
-## Current status
-The **Current status** tab shows the current state of the Defender for Endpoint service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
-
-- Date and time for when the issue was detected
-- A short description of the issue
-- Update time
-- Summary of impact
-- Preliminary root cause
-- Next steps
-- Expected resolution time
-
-Updates on the progress of an issue are reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
-
-When an issue is resolved, it gets recorded in the **Status history** tab.
-
-## Status history
-The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
-
-### Related topic
-- [View the Security operations dashboard](security-operations-dashboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
deleted file mode 100644
index 66e0dfcd99..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Set device value API
-description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
-keywords: apis, graph api, supported apis, tags, machine tags
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Set device value API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-
-Set the device value of a specific [Machine](machine.md).
-See [assign device values](tvm-assign-device-value.md) for more information.
-
-## Limitations
-
-1. You can post on devices last seen according to your configured retention period.
-
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->
->- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**.
-
-## Response
-
-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
-
-## Example
-
-**Request**
-
-Here is an example of a request that adds machine tag.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
-```
-
-```json
-{
- "DeviceValue" : "High"
-}
-```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
deleted file mode 100644
index cbe9c7e0d5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Software resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
deleted file mode 100644
index 6ab096b9f7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Stop and quarantine file API
-description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example.
-keywords: apis, graph api, supported apis, stop and quarantine file
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Stop and quarantine file API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Stop execution of a file on a device and delete it.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
-Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/StopAndQuarantineFile
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-Sha1 | String | Sha1 of the file to stop and quarantine on the device. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
-```
-
-```json
-{
- "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
- "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
deleted file mode 100644
index 1780f55497..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
-description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-migratetomdatp
- - m365solution-overview
-ms.topic: conceptual
-ms.custom: migrationguides
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
-ms.technology: mde
----
-
-# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
-
-If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration.
-
-> [!TIP]
-> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
-> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md).
-
-## The migration process
-
-When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-
-
-|Phase |Description |
-|--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](switch-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
deleted file mode 100644
index 2a3c2f472f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-migratetomdatp
-ms.custom: migrationguides
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
-
-|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-
-**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall your non-Microsoft solution
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall your non-Microsoft endpoint protection solution.
-
-To get help with this step, reach out to your solution provider's technical support team.
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled your non-Microsoft endpoint protection solution, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
deleted file mode 100644
index a49d62bf03..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-migratetomdatp
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
-
-|
Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get and deploy updates across your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
-
-### Make sure your existing solution is up to date
-
-Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
-
-Need help? See your solution provider's documentation.
-
-### Make sure your organization's devices are up to date
-
-Need help updating your organization's devices? See the following resources:
-
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
deleted file mode 100644
index 6b6dd2a9cd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ /dev/null
@@ -1,261 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-migratetomdatp
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
-
-|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
-4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
-
-This step of the migration process includes the following tasks:
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
-- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
-
-### Set DisableAntiSpyware to false on Windows Server
-
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
-
- - If you do see **DisableAntiSpyware**, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
-
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to **1**.
-
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-### Enable Microsoft Defender Antivirus on your Windows client devices
-
-Because your organization has been using a non-Microsoft antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Confirm that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside your existing endpoint protection solution if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
-
-> [!TIP]
-> To get help configuring exclusions, refer to your solution provider's documentation.
-
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
- ```kusto
- File(c:\\windows\\notepad.exe)
- | project Hash
- ```
-
- > [!NOTE]
- > In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
deleted file mode 100644
index 7f20e3e024..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Migrate from Symantec to Microsoft Defender for Endpoint
-description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-symantecmigrate
- - m365solution-overview
-ms.topic: conceptual
-ms.date: 09/22/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration.
-
-## The migration process
-
-When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-
-
-|Phase |Description |
-|--|--|
-|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
deleted file mode 100644
index 9ba924e18a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding
-description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-symantecmigrate
-ms.topic: article
-ms.date: 09/24/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-
-**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall Symantec](#uninstall-symantec).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall Symantec
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
-
-1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
-
-2. Delete the uninstall password for Symantec:
- 1. On your Windows devices, open Registry Editor as an administrator.
- 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
- 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-
-3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
- - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
- - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
deleted file mode 100644
index 4d58af47fd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing
-description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-symantecmigrate
-ms.topic: article
-ms.date: 09/22/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 1: Prepare for your migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|
Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get Microsoft Defender for Endpoint
-
-To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|:----|:----|:---|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
deleted file mode 100644
index da69f9acd3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ /dev/null
@@ -1,241 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up
-description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.technology: mde
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365solution-symantecmigrate
-ms.topic: article
-ms.date: 11/30/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |
Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
-2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
-5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-6. [Add Symantec to the exclusion list for Microsoft Defender for Endpoint](#add-symantec-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-7. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-8. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
-
-> [!TIP]
-> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
-
-On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
->
-> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- - Set the DWORD's value to **1**.
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-## Enable Microsoft Defender Antivirus
-
-Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Verify that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add Symantec to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-
-> [!NOTE]
-> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
-
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
-
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
- ```kusto
- File(c:\\windows\\notepad.exe)
- | project Hash
- ```
-
- > [!NOTE]
- > In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
deleted file mode 100644
index d65629d1ca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Understand the analyst report section in threat analytics
-ms.reviewer:
-description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
-keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Understand the analyst report in threat analytics
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
-
-
-
-_Analyst report section of a threat analytics report_
-
-## Scan the analyst report
-Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table.
-
-| Report section | Description |
-|--|--|
-| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. |
-| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
-| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) |
-| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. |
-| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
-| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
-| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
-| Change log | The time the report was published and when significant changes were made to the report. |
-
-## Apply additional mitigations
-Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab.
-
-In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked:
-
-- Block emails with _.lnk_ attachments or other suspicious file types
-- Randomize local administrator passwords
-- Educate end users about phishing email and other threat vectors
-- Turn on specific [attack surface reduction rules](attack-surface-reduction.md)
-
-While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
-
-## Understand how each threat can be detected
-The analyst report also provides the detections from Microsoft Defender for Endpoint antivirus and _endpoint detection and response_ (EDR) capabilities.
-
-### Antivirus detections
-These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report.
-
->[!NOTE]
->The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.
-
-### Endpoint detection and response (EDR) alerts
-EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilities—such as antivirus, network protection, tamper protection—that serve as powerful signal sources.
-
-Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report.
-
-## Find subtle threat artifacts using advanced hunting
-While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives.
-
-[Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat.
-
-Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches.
-
-
-## Related topics
-- [Threat analytics overview](threat-analytics.md)
-- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
-- [Custom detection rules](custom-detection-rules.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
deleted file mode 100644
index a7163a294f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics
-ms.reviewer:
-description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
-keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Track and respond to emerging threats with threat analytics
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
-
-- Assess the impact of new threats
-- Review your resilience against or exposure to the threats
-- Identify the actions you can take to stop or contain the threats
-
-Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
-
-- Active threat actors and their campaigns
-- Popular and new attack techniques
-- Critical vulnerabilities
-- Common attack surfaces
-- Prevalent malware
-
-Each report provides a detailed analysis of a threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.
-
-Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
-
-## View the threat analytics dashboard
-
-The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
-
-- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
-- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
-- **Threat summary**—shows the overall impact of tracked threats by showing the number of threats with active and resolved alerts.
-
-Select a threat from the dashboard to view the report for that threat.
-
-
-
-## View a threat analytics report
-
-Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-
-### Overview: Quickly understand the threat, assess its impact, and review defenses
-
-The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-
-
-_Overview section of a threat analytics report_
-
-#### Assess the impact to your organization
-Each report includes charts designed to provide information about the organizational impact of a threat:
-- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
-- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
-
-#### Review security resilience and posture
-Each report includes charts that provide an overview of how resilient your organization is against a given threat:
-- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
-- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-
-### Analyst report: Get expert insight from Microsoft security researchers
-Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
-
-[Learn more about the analyst report](threat-analytics-analyst-reports.md)
-
-### Mitigations: Review list of mitigations and the status of your devices
-In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:
-
-- **Security updates**—deployment of security updates or patches for vulnerabilities
-- **Microsoft Defender Antivirus settings**
- - Security intelligence version
- - Cloud-delivered protection
- - Potentially unwanted application (PUA) protection
- - Real-time protection
-
-Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
-
-
-_Mitigations section of a threat analytics report_
-
-## Additional report details and limitations
-When using the reports, keep the following in mind:
-
-- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
-- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
-- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
-- Devices are counted as "unavailable" if they have not transmitted data to the service.
-- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
-
-## Related topics
-- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
-- [Understand the analyst report section](threat-analytics-analyst-reports.md)
-- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
deleted file mode 100644
index 75b6243eea..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-title: Event timeline in threat and vulnerability management
-description: Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
-keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-# Event timeline - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
-
-Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
-
->[!TIP]
->To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
-
-## Navigate to the Event timeline page
-
-There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md):
-
-- **Organization exposure score card**: Hover over the event dots in the "Exposure Score over time" graph and select "See all events from this day." The events represent software vulnerabilities.
-- **Microsoft Secure Score for Devices**: Hover over the event dots in the "Your score for devices over time" graph and select "See all events from this day." The events represent new configuration assessments.
-- **Top events card**: Select "Show more" at the bottom of the top events table. The card displays the three most impactful events in the last 7 days. Impactful events can include if the event affects a large number of devices, or if it is a critical vulnerability.
-
-### Exposure score and Microsoft Secure Score for Devices graphs
-
-In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top software vulnerability events from that day that impacted your devices. Hover over the Microsoft Secure Score for Devices graph to view new security configuration assessments that affect your score.
-
-If there are no events that affect your devices or your score for devices, then none will be shown.
-
-
-
-
-### Drill down to events from that day
-
-Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
-
-
-
-Select **Custom range** to change the date range to another custom one, or a pre-set time range.
-
-
-
-## Event timeline overview
-
-On the Event timeline page, you can view the all the necessary info related to an event.
-
-Features:
-
-- Customize columns
-- Filter by event type or percent of impacted devices
-- View 30, 50, or 100 items per page
-
-The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
-
-
-
-### Columns
-
-- **Date**: month, day, year
-- **Event**: impactful event, including component, type, and number of impacted devices
-- **Related component**: software
-- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.
-- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.
-- **Types**: reflect time-stamped events that impact the score. They can be filtered.
- - Exploit added to an exploit kit
- - Exploit was verified
- - New public exploit
- - New vulnerability
- - New configuration assessment
-- **Score trend**: exposure score trend
-
-### Icons
-
-The following icons show up next to events:
-
--  New public exploit
--  New vulnerability was published
--  Exploit found in exploit kit
--  Exploit verified
-
-### Drill down to a specific event
-
-Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.
-
-The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
-
-
-
-From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md).
-
-## View Event timelines in software pages
-
-To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
-
-A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
-
-
-
-Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
-
-
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediate vulnerabilities](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
deleted file mode 100644
index 6d076ba18e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Understand threat intelligence concepts in Microsoft Defender ATP
-description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Microsoft Defender Advanced Threat Protection.
-keywords: threat intelligence, alert definitions, indicators of compromise, ioc
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Understand threat intelligence concepts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
-
-Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
-
-With Microsoft Defender for Endpoint, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
-
-Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them.
-
-## Alert definitions
-Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
-
-## Indicators of compromise (IOC)
-IOCs are individually-known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
-
-## Relationship between alert definitions and IOCs
-In the context of Microsoft Defender for Endpoint, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options.
-
-Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender for Endpoint console.
-
-Here is an example of an IOC:
-- Type: Sha1
-- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
-- Action: Equals
-
-IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections.
-[Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender for Endpoint detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender for Endpoint detections.
-[Configure HP ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender for Endpoint detections.
-[Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender for Endpoint using REST API.
-[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
-
-
-
-## Related topics
-- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
deleted file mode 100644
index f825bed722..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions
-description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Security Center.
-author: mjcaparas
-ms.author: macapara
-ms.prod: m365-security
-keywords: microsoft 365 defender, conditional access, office, advanced threat protection, microsoft defender for identity, microsoft defender for office, azure security center, microsoft cloud app security, azure sentinel
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Microsoft Defender for Endpoint and other Microsoft solutions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-## Integrate with other Microsoft solutions
-
-Microsoft Defender for Endpoint directly integrates with various Microsoft solutions.
-
-### Azure Security Center
-Microsoft Defender for Endpoint provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
-
-### Azure Sentinel
-The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
-
-### Azure Information Protection
-Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
-
-### Conditional Access
-Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
-
-### Microsoft Cloud App Security
-Microsoft Cloud App Security leverages Microsoft Defender for Endpoint endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices.
-
-### Microsoft Defender for Identity
-Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
-
-### Microsoft Defender for Office
-[Defender for Office 365](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
-
->[!NOTE]
-> Defender for Office 365 data is displayed for events within the last 30 days. For alerts, Defender for Office 365 data is displayed based on first activity time. After that, the data is no longer available in Defender for Office 365.
-
-### Skype for Business
-The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal.
-
-## Microsoft 365 Defender
-With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
-
-[Learn more about Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-
-
-## Related topics
-- [Configure integration and other advanced features](advanced-features.md)
-- [Microsoft 365 Defender overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-- [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-- [Protect users, data, and devices with Conditional Access](conditional-access.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
deleted file mode 100644
index de27be571b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Threat protection report in Microsoft Defender ATP
-description: Track alert detections, categories, and severity using the threat protection report
-keywords: alert detection, source, alert by category, alert severity, alert classification, determination
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Threat protection report in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
-
-The dashboard is structured into two sections:
-
-
-
-Section | Description
-:---|:---
-1 | Alerts trends
-2 | Alert summary
-
-## Alert trends
-By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
-
-- 30 days
-- 3 months
-- 6 months
-- Custom
-
->[!NOTE]
->These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
-
-
-## Alert summary
-While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
-
- The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
-
->[!NOTE]
->The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
-> The filter applied on the trends section is not applied on the summary section.
-
-## Alert attributes
-The report is made up of cards that display the following alert attributes:
-
-- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender for Endpoint to trigger alerts.
-
-- **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations.
-
-- **Severity**: shows the severity level of alerts, indicating the collective potential impact of threats to your organization and the level of response needed to address them.
-
-- **Status**: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of automated remediation (if enabled).
-
-- **Classification & determination**: shows how you have classified alerts upon resolution, whether you have classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show the determination of resolved alerts, providing additional insight like the types of actual threats found or the legitimate activities that were incorrectly detected.
-
-
-
-
-## Filter data
-
-Use the provided filters to include or exclude alerts with certain attributes.
-
->[!NOTE]
->These filters apply to **all** the cards in the report.
-
-For example, to show data about high-severity alerts only:
-
-1. Under **Filters > Severity**, select **High**
-2. Ensure that all other options under **Severity** are deselected.
-3. Select **Apply**.
-
-## Related topic
-- [Device health and compliance report](machine-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
deleted file mode 100644
index 1eb4f26891..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Indicator resource type
-description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, supported apis, get, TiIndicator, Indicator, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Indicator resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-- See the corresponding [Indicators page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal.
-
-Method|Return Type |Description
-:---|:---|:---
-[List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities.
-[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity.
-[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities.
-[Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Identity of the [Indicator](ti-indicator.md) entity.
-indicatorValue | String | The value of the [Indicator](ti-indicator.md).
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
-application | String | The application associated with the indicator.
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed".
-sourceType | Enum | "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API.
-source | string | The name of the user/application that submitted the indicator.
-createdBy | String | Unique identity of the user/application that submitted the indicator.
-lastUpdatedBy | String | Identity of the user/application that last updated the indicator.
-creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
-expirationTime | DateTimeOffset | The expiration time of the indicator.
-lastUpdateTime | DateTimeOffset | The last time the indicator was updated.
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
-title | String | Indicator title.
-description | String | Description of the indicator.
-recommendedActions | String | Recommended actions for the indicator.
-rbacGroupNames | List of strings | RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.
-
-
-## Json representation
-
-```json
-{
- "id": "994",
- "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
- "indicatorType": "FileSha256",
- "action": "AlertAndBlock",
- "application": null,
- "source": "user@contoso.onmicrosoft.com",
- "sourceType": "User",
- "createdBy": "user@contoso.onmicrosoft.com",
- "severity": "Informational",
- "title": "Michael test",
- "description": "test",
- "recommendedActions": "nothing",
- "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
- "expirationTime": null,
- "lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
- "lastUpdatedBy": null,
- "rbacGroupNames": ["team1"]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
deleted file mode 100644
index efce09619a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Microsoft Defender Security Center time zone settings
-description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information.
-keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Microsoft Defender Security Center time zone settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-settings-abovefoldlink)
-
-Use the **Time zone** menu  to configure the time zone and view license information.
-
-## Time zone settings
-The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
-
-Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings.
-
-Microsoft Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
-
-Your current time zone setting is shown in the Microsoft Defender for Endpoint menu. You can change the displayed time zone in the **Time zone** menu.
-
-.
-
-### UTC time zone
-Microsoft Defender for Endpoint uses UTC time by default.
-
-Setting the Microsoft Defender for Endpoint time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
-
-### Local time zone
-You can choose to have Microsoft Defender for Endpoint use local time zone settings. All alerts and events will be displayed using your local time zone.
-
-The local time zone is taken from your device’s regional settings. If you change your regional settings, the Microsoft Defender for Endpoint time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender for Endpoint will be aligned to local time for all Microsoft Defender for Endpoint users. Analysts located in different global locations will now see the Microsoft Defender for Endpoint alerts according to their regional settings.
-
-Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
-
-### Set the time zone
-The Microsoft Defender for Endpoint time zone is set by default to UTC.
-Setting the time zone also changes the times for all Microsoft Defender for Endpoint views.
-To set the time zone:
-
-1. Click the **Time zone** menu .
-2. Select the **Timezone UTC** indicator.
-3. Select **Timezone UTC** or your local time zone, for example -7:00.
-
-### Regional settings
-To apply different date formats for Microsoft Defender for Endpoint, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
-
-
-**Internet Explorer (IE) and Microsoft Edge**
-
-IE and Microsoft Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel.
-
-
-#### Known issues with regional formats
-
-**Date and time formats**
-There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings.
-
-The following date and time formats are supported:
-- Date format MM/dd/yyyy
-- Date format dd/MM/yyyy
-- Time format hh:mm:ss (12 hour format)
-
-The following date and time formats are currently not supported:
-- Date format yyyy-MM-dd
-- Date format dd-MMM-yy
-- Date format dd/MM/yy
-- Date format MM/dd/yy
-- Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss (24 hour format)
-
-**Decimal symbol used in numbers**
-Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
deleted file mode 100644
index c25e934d20..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Troubleshoot problems with attack surface reduction rules
-description: Resources and sample code to troubleshoot issues with attack surface reduction rules in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.date: 03/27/2019
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Troubleshoot attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
-
-- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
-
-- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
-
-There are four steps to troubleshooting these problems:
-
-1. [Confirm prerequisites](#confirm-prerequisites)
-
-2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule)
-
-3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives)
-
-4. [Submit support logs](#collect-diagnostic-data-for-file-submissions)
-
-## Confirm prerequisites
-
-Attack surface reduction rules will only work on devices with the following conditions:
-
-- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-
-- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-
-- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
-
-If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
-
-## Use audit mode to test the rule
-
-You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
-
-Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with.
-
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
-
-2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-
-3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-
-If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
-
-Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-
-If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
-
-1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-
-2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
-
-## Add exclusions for a false positive
-
-If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
-
-To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
-
->[!IMPORTANT]
->You can specify individual files and folders to be excluded, but you cannot specify individual rules.
->This means any files or folders that are excluded will be excluded from all ASR rules.
-
-## Report a false positive or false negative
-
-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
-
-## Collect diagnostic data for file submissions
-
-When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
-
-1. Open an elevated command prompt and change to the Windows Defender directory:
-
- ```console
- cd "c:\program files\windows defender"
- ```
-
-2. Run this command to generate the diagnostic logs:
-
- ```console
- mpcmdrun -getfiles
- ```
-
-3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
-
-## Related articles
-
-- [Attack surface reduction rules](attack-surface-reduction.md)
-
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
deleted file mode 100644
index a0705e4829..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Collect support logs in Microsoft Defender for Endpoints using live response
-description: Learn how to collect logs using live response to troubleshoot Microsoft Defender for Endpoints issues
-keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
-ms.technology: mde
----
-
-# Collect support logs in Microsoft Defender for Endpoint using live response
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.
-
-This topic provides instructions on how to run the tool via Live Response.
-
-1. Download the appropriate script
- * Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer).
- - Result package approximate size: ~100Kb
- * Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV).
- - Result package approximate size: ~10Mb
-
-2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
-
-3. Select **Upload file to library**.
-
- 
-
-4. Select **Choose file**.
-
- 
-
-5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm**
-
-
- 
-
-
-6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
-
- ```console
- Run MDELiveAnalyzer.ps1
- GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto
- ```
-
- 
-
-
->[!NOTE]
-> - The latest preview version of MDEClientAnalyzer can be downloaded here: [https://aka.ms/Betamdeanalyzer](https://aka.ms/Betamdeanalyzer).
->
-> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
->
-> If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:
->
-> ```console
-> PutFile MDEClientAnalyzerPreview.zip -overwrite
-> Run MDELiveAnalyzer.ps1
-> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto
-> ```
->
-> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
deleted file mode 100644
index 6169ebd01f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ /dev/null
@@ -1,206 +0,0 @@
----
-title: Troubleshoot exploit protection mitigations
-keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
-description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-ms.date: 08/09/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Troubleshoot exploit protection mitigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
-
-You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
-
-1. Remove all process mitigations with this PowerShell script:
-
- ```PowerShell
- # Check if Admin-Privileges are available
- function Test-IsAdmin {
- ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
- }
-
- # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
- # the key is deleted as well
- function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
- Try {
- if ($Key.GetValue("MitigationOptions")) {
- Write-Host "Removing MitigationOptions for: " $Name
- Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
- }
- if ($Key.GetValue("MitigationAuditOptions")) {
- Write-Host "Removing MitigationAuditOptions for: " $Name
- Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
- }
-
- # Remove the FilterFullPath value if there is nothing else
- if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
- Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
- }
-
- # If the key is empty now, delete it
- if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
- Write-Host "Removing empty Entry: " $Name
- Remove-Item -Path $Key.PSPath -ErrorAction Stop
- }
- }
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
- }
- }
-
- # Delete all ExploitGuard ProcessMitigations
- function Remove-All-ProcessMitigations {
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
- }
-
- Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
- $MitigationItem = $_;
- $MitigationItemName = $MitigationItem.PSChildName
-
- Try {
- Remove-ProcessMitigations $MitigationItem $MitigationItemName
-
- # "UseFilter" indicate full path filters may be present
- if ($MitigationItem.GetValue("UseFilter")) {
- Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
- $FullPathItem = $_
- if ($FullPathItem.GetValue("FilterFullPath")) {
- $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
- Write-Host "Removing FullPathEntry: " $Name
- Remove-ProcessMitigations $FullPathItem $Name
- }
-
- # If there are no subkeys now, we can delete the "UseFilter" value
- if ($MitigationItem.SubKeyCount -eq 0) {
- Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
- }
- }
- }
- if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
- Write-Host "Removing empty Entry: " $MitigationItemName
- Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
- }
- }
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
- }
- }
- }
-
- # Delete all ExploitGuard System-wide Mitigations
- function Remove-All-SystemMitigations {
-
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
- }
-
- $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
-
- Try {
- if ($Kernel.GetValue("MitigationOptions"))
- { Write-Host "Removing System MitigationOptions"
- Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
- }
- if ($Kernel.GetValue("MitigationAuditOptions"))
- { Write-Host "Removing System MitigationAuditOptions"
- Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
- }
- } Catch {
- Write-Host "ERROR:" $_.Exception.Message "- System"
- }
- }
-
- Remove-All-ProcessMitigations
- Remove-All-SystemMitigations
- ```
-
-2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
-
- ```xml
-
-
-There are some known issues with the time and date formats.
-
-The following date formats are supported:
-- MM/dd/yyyy
-- dd/MM/yyyy
-
-The following date and time formats are currently not supported:
-- Date format yyyy/MM/dd
-- Date format dd/MM/yy
-- Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
-
-**Use of comma to indicate thousand**
-Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
-
-## Microsoft Defender for Endpoint tenant was automatically created in Europe
-When you use Azure Security Center to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default.
-
-
-
-
-
-## Related topics
-- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
-- [Review events and errors using Event Viewer](event-error-codes.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
deleted file mode 100644
index 05563e45c4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Troubleshoot problems with Network protection
-description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-ms.date: 01/26/2021
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Troubleshoot network protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- IT administrators
-
-When you use [Network protection](network-protection.md) you may encounter issues, such as:
-
-- Network protection blocks a website that is safe (false positive)
-- Network protection fails to block a suspicious or known malicious website (false negative)
-
-There are four steps to troubleshooting these problems:
-
-1. Confirm prerequisites
-2. Use audit mode to test the rule
-3. Add exclusions for the specified rule (for false positives)
-4. Submit support logs
-
-## Confirm prerequisites
-
-Network protection will only work on devices with the following conditions:
-
->[!div class="checklist"]
-> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
-> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
-
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
-
-1. Set network protection to **Audit mode**.
-
- ```PowerShell
- Set-MpPreference -EnableNetworkProtection AuditMode
- ```
-
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-
-3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
-
- If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-
- ```PowerShell
- Set-MpPreference -EnableNetworkProtection Enabled
- ```
-
-## Report a false positive or false negative
-
-If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
-
-See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives).
-
-## Exclude website from network protection scope
-
-To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
-
-## Collect diagnostic data for file submissions
-
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
-
-1. Open an elevated command prompt and change to the Windows Defender directory:
-
- ```console
- cd c:\program files\windows defender
- ```
-
-2. Run this command to generate the diagnostic logs:
-
- ```console
- mpcmdrun -getfiles
- ```
-
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
-
-## Related topics
-
-- [Network protection](network-protection.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Enable network protection](enable-network-protection.md)
-- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
deleted file mode 100644
index 995a0869a4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Troubleshoot onboarding issues and error messages
-description: Troubleshoot onboarding issues and error message while completing setup of Microsoft Defender Advanced Threat Protection.
-keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
-ms.technology: mde
----
-
-# Troubleshoot subscription and portal access issues
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
-
-
-This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender for Endpoint service.
-
-If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
-
-## No subscriptions found
-
-If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender for Endpoint license.
-
-Potential reasons:
-- The Windows E5 and Office E5 licenses are separate licenses.
-- The license was purchased but not provisioned to this Azure AD instance.
- - It could be a license provisioning issue.
- - It could be you inadvertently provisioned the license to a different Microsoft Azure AD than the one used for authentication into the service.
-
-For both cases, you should contact Microsoft support at [General Microsoft Defender for Endpoint Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
-[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
-
-
-
-## Your subscription has expired
-
-If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender for Endpoint subscription, like any other online service subscription, has an expiration date.
-
-You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license.
-
-> [!NOTE]
-> For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-
-
-## You are not authorized to access the portal
-
-If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender for Endpoint is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
-For more information, see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
-
-
-
-## Data currently isn't available on some sections of the portal
-If the portal dashboard and other sections show an error message such as "Data currently isn't available":
-
-
-
-You'll need to allow the `securitycenter.windows.com` and all subdomains under it. For example, `*.securitycenter.windows.com`.
-
-
-## Portal communication issues
-If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are allowed and open for communication.
-
-- `*.blob.core.windows.net`
-- `crl.microsoft.com`
-- `https://*.microsoftonline-p.com`
-- `https://*.securitycenter.windows.com`
-- `https://automatediracs-eus-prd.securitycenter.windows.com`
-- `https://login.microsoftonline.com`
-- `https://login.windows.net`
-- `https://onboardingpackagescusprd.blob.core.windows.net`
-- `https://secure.aadcdn.microsoftonline-p.com`
-- `https://securitycenter.windows.com`
-- `https://static2.sharepointonline.com`
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
deleted file mode 100644
index 52bbe320a4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ /dev/null
@@ -1,453 +0,0 @@
----
-title: Troubleshoot Microsoft Defender ATP onboarding issues
-description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service.
-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
-ms.technology: mde
----
-
-# Troubleshoot Microsoft Defender for Endpoint onboarding issues
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- Windows Server 2012 R2
-- Windows Server 2016
-
-You might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if you encounter issues.
-This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
-
-## Troubleshoot issues with onboarding tools
-
-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-
-### Troubleshoot onboarding when deploying with Group Policy
-
-Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
-
-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
-
-If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
-### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
-
-When onboarding devices using the following versions of Configuration Manager:
-
-- Microsoft Endpoint Configuration Manager
-- System Center 2012 Configuration Manager
-- System Center 2012 R2 Configuration Manager
-
-Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console.
-
-If the deployment fails, you can check the output of the script on the devices.
-
-If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
-### Troubleshoot onboarding when deploying with a script
-
-**Check the result of the script on the device:**
-
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
-
-2. Go to **Windows Logs** > **Application**.
-
-3. Look for an event from **WDATPOnboarding** event source.
-
-If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
-
-> [!NOTE]
-> The following event IDs are specific to the onboarding script only.
-
-Event ID | Error Type | Resolution steps
-:---:|:---|:---
- `5` | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-`10` | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Verify that the script has been run as an administrator.
-`15` | Failed to start SENSE service |Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
-`15` | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
-`30` | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`35` | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
`HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`40` | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`65` | Insufficient privileges| Run the script again with administrator privileges.
-
-### Troubleshoot onboarding issues using Microsoft Intune
-
-You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
-
-If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.
-
-Use the following tables to understand the possible causes of issues while onboarding:
-
-- Microsoft Intune error codes and OMA-URIs table
-- Known issues with non-compliance table
-- Mobile Device Management (MDM) event logs table
-
-If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt.
-
-#### Microsoft Intune error codes and OMA-URIs
-
-Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
-:---:|:---|:---|:---|:---
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).
- | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Microsoft Defender for Endpoint Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
If it doesn't exist, open an elevated command and add the key.
- | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).
- | | | | All | **Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms:
Enterprise, Education, and Professional.
Server is not supported.
- 0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms:
Enterprise, Education, and Professional.
-
-#### Known issues with non-compliance
-
-The following table provides information on issues with non-compliance and how you can address the issues.
-
-Case | Symptoms | Possible cause and troubleshooting steps
-:---:|:---|:---
- `1` | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.
**Troubleshooting steps:** Wait for OOBE to complete.
- `2` | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
- `3` | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
-
-#### Mobile Device Management (MDM) event logs
-
-View the MDM event logs to troubleshoot issues that might arise during onboarding:
-
-Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
-
-Channel name: Admin
-
-ID | Severity | Event description | Troubleshooting steps
-:---|:---|:---|:---
-1819 | Error | Microsoft Defender for Endpoint CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
-
-## Troubleshoot onboarding issues on the device
-
-If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint agent.
-
-- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
-- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
-- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
-- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
-- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
-
-### View agent onboarding errors in the device event log
-
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
-
-2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
-
- > [!NOTE]
- > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.
-
-3. Select **Operational** to load the log.
-
-4. In the **Action** pane, click **Filter Current log**.
-
-5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
-
- 
-
-6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
-
-Event ID | Message | Resolution steps
-:---:|:---|:---
- `5` | Microsoft Defender for Endpoint service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
- `6` | Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md).
- `7` | Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again.
- `9` | Microsoft Defender for Endpoint service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).
If the event happened during offboarding, contact support.
-`10` | Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).
If the problem persists, contact support.
-`15` | Microsoft Defender for Endpoint cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
-`17` | Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support.
-`25` | Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
-`27` | Failed to enable Microsoft Defender for Endpoint mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
-`29` | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again.
-`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender for Endpoint. Failure code: %1 | Contact support.
-`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
-`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
-`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
-`64` | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
-`68` | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
-`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-
-
-
-There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-
-
-
-### Ensure the diagnostic data service is enabled
-
-If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
-
-First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
-
-### Ensure the service is set to start
-
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
-
-1. Open an elevated command-line prompt on the device:
-
- a. Click **Start**, type **cmd**, and press **Enter**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
- If the service is enabled, then the result should look like the following screenshot:
-
- 
-
- If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the device:
-
- a. Click **Start**, type **cmd**, and press **Enter**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc config diagtrack start=auto
- ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
-4. Start the service.
-
- a. In the command prompt, type the following command and press **Enter**:
-
- ```text
- sc start diagtrack
- ```
-
-### Ensure the device has an Internet connection
-
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
-
-WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
-
-To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls) topic.
-
-If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic.
-
-### Ensure that Microsoft Defender Antivirus is not disabled by a policy
-
-> [!IMPORTANT]
-> The following only applies to devices that have **not** yet received the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
->
-> The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.
-
-**Problem**: The Microsoft Defender for Endpoint service does not start after onboarding.
-
-**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
-
-**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender for Endpoint agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy.
-
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
-
- - DisableAntiSpyware
- - DisableAntiVirus
-
- For example, in Group Policy there should be no entries such as the following values:
-
- - `
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment |
-Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10, version 1709 or later |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
Software product vulnerabilities
-Linux | Not supported (planned)
-
-## Related articles
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Prerequisites & permissions](tvm-prerequisites.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md
deleted file mode 100644
index 9bf4ddccc7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Vulnerable devices report - threat and vulnerability management
-description: A report showing vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
-keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Vulnerable devices report - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
-
-Access the report in the Microsoft Defender Security Center by going to **Reports > Vulnerable devices**
-
-There are two columns:
-
-- Trends (over time). Can show the past 30 days, 3 months, 6 months, or a custom date range.
-- Today (current information)
-
-**Filter**: You can filter the data by vulnerability severity levels, exploit availability, vulnerability age, operating system platform, Windows 10 version, or device group.
-
-**Drill down**: If there is an insight you want to explore further, select the relevant bar chart to view a filtered list of devices in the Device inventory page. From there, you can export the list.
-
-## Severity level graphs
-
-Each device is counted only once according to the most severe vulnerability found on that device.
-
-
-
-## Exploit availability graphs
-
-Each device is counted only once based on the highest level of known exploit.
-
-
-
-## Vulnerability age graphs
-
-Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited.
-
-
-
-## Vulnerable devices by operating system platform graphs
-
-The number of devices on each operating system that are exposed due to software vulnerabilities.
-
-
-
-## Vulnerable devices by Windows 10 version graphs
-
-The number of devices on each Windows 10 version that are exposed due to vulnerable applications or OS.
-
-
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Security recommendations](tvm-security-recommendation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
deleted file mode 100644
index dc46a51f0e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Vulnerabilities in my organization - threat and vulnerability management
-description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability.
-keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-# Vulnerabilities in my organization - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Threat and vulnerability management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.
-
-The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
-
->[!NOTE]
->If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
-
->[!TIP]
->To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
-
-## Navigate to the Weaknesses page
-
-Access the Weaknesses page a few different ways:
-
-- Selecting **Weaknesses** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
-- Global search
-
-### Navigation menu
-
-Go to the threat and vulnerability management navigation menu and select **Weaknesses** to open the list of CVEs.
-
-### Vulnerabilities in global search
-
-1. Go to the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-
-3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
-
-To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
-
-## Weaknesses overview
-
-Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
-
-
-
-### Breach and threat insights
-
-View any related breach and threat insights in the **Threat** column when the icons are colored red.
-
- >[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
-
-The breach insights icon is highlighted if there's a vulnerability found in your organization.
-
-
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
-
-
-
-### Gain vulnerability insights
-
-If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details, threat insights, and exposed devices.
-
-- The "OS Feature" category is shown in relevant scenarios
-- You can go to the related security recommendation for every CVE with exposed device
-
- 
-
-### Software that isn't supported
-
-CVEs for software that isn't currently supported by threat & vulnerability management is still present in the Weaknesses page. Because the software is not supported, only limited data will be available.
-
-Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.
-
- 
-
-## View Common Vulnerabilities and Exposures (CVE) entries in other places
-
-### Top vulnerable software in the dashboard
-
-1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
-
- 
-
-2. Select the software you want to investigate to go to a drilldown page.
-3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability you want to investigate for more information on vulnerability details
-
- 
-
-### Discover vulnerabilities in the device page
-
-View related weaknesses information in the device page.
-
-1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
-2. In the **Devices list** page, select the device name that you want to investigate.
-
- 
-
-3. The device page will open with details and response options for the device you want to investigate.
-4. Select **Discovered vulnerabilities**.
-
- 
-
-5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
-
-#### CVE Detection logic
-
-Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-
-The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
-
-
-
-## Report inaccuracy
-
-Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
-
-1. Open the CVE on the Weaknesses page.
-2. Select **Report inaccuracy** and a flyout pane will open.
-3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.
-4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
-
-## Related articles
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Dashboard insights](tvm-dashboard-insights.md)
-- [View and organize the Microsoft Defender for Endpoint Devices list](machines-view-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
deleted file mode 100644
index 2a58bec532..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Mitigate zero-day vulnerabilities - threat and vulnerability management
-description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management.
-keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: article
-ms.technology: mde
----
-
-# Mitigate zero-day vulnerabilities - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited.
-
-Threat and vulnerability management will only display zero-day vulnerabilities it has information about.
-
-## Find information about zero-day vulnerabilities
-
-Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center.
-
-### Threat and vulnerability management dashboard
-
-Look for recommendations with a zero-day tag in the “Top security recommendations” card.
-
-
-
-Find top software with the zero-day tag in the "Top vulnerable software" card.
-
-
-
-### Weaknesses page
-
-Look for the named zero-day vulnerability along with a description and details.
-
-- If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name.
-
-- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
-
-
-
-### Software inventory page
-
-Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.
-
-
-
-### Software page
-
-Look for a zero-day tag for each software that has been affected by the zero–day vulnerability.
-
-
-
-### Security recommendations page
-
-View clear suggestions about remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.
-
-If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities.
-
-
-
-## Addressing zero-day vulnerabilities
-
-Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.
-
-There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
-
-Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
-
-
-
-## Track zero-day remediation activities
-
-Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there's no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category.
-
-## Patching zero-day vulnerabilities
-
-When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
-
-
-
-## Related articles
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Dashboard](tvm-dashboard-insights.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Vulnerabilities in my organization](tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
deleted file mode 100644
index 9d41281585..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Release device from isolation API
-description: Use this API to create calls related to release a device from isolation.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Release device from isolation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Undo isolation of a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Isolate | 'Isolate machine'
-Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
-```
-
-```json
-{
- "Comment": "Unisolate machine since it was clean and validated"
-}
-
-```
-
-
-- To isolate a device, see [Isolate device](isolate-machine.md).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
deleted file mode 100644
index 41934f0380..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Remove app restriction API
-description: Use this API to create calls related to removing a restriction from applications from executing.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Remove app restriction API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Enable execution of any application on the device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.RestrictExecution | 'Restrict code execution'
-Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/unrestrictCodeExecution
-```
-
-## Request headers
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution
-```
-
-```json
-{
- "Comment": "Unrestrict code execution since machine was cleaned and validated"
-}
-
-```
-
-
-To restrict code execution on a device, see [Restrict app execution](restrict-code-execution.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
deleted file mode 100644
index a19d0d51e1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Update alert entity API
-description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties.
-keywords: apis, graph api, supported apis, get, alert, information, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Update alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## API description
-Updates properties of existing [Alert](alerts.md).
-
Submission of **comment** is available with or without updating properties.
-
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```.
-
-
-## Limitations
-1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alerts.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-PATCH /api/alerts/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
-
-## Request body
-In the request body, supply the values for the relevant fields that should be updated.
-
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
-
For best performance you shouldn't include existing values that haven't change.
-
-Property | Type | Description
-:---|:---|:---
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
-assignedTo | String | Owner of the alert
-classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
-comment | String | Comment to be added to the alert.
-
-## Response
-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```http
-PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442
-```
-
-```json
-{
- "status": "Resolved",
- "assignedTo": "secop2@contoso.com",
- "classification": "FalsePositive",
- "determination": "Malware",
- "comment": "Resolve my alert and assign to secop2"
-}
-```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
deleted file mode 100644
index 777f2b2ae4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Overview of Microsoft Defender Security Center
-description: Learn about the features on Microsoft Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
-keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Overview of Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
-
-Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities.
-
-Use the **Security operations** dashboard to gain insight on the various alerts on devices and users in your network.
-
-Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization.
-
-Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
-
-## Microsoft Defender for Endpoint interactive guide
-In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats.
-
-> [!VIDEO https://aka.ms/MSDE-IG]
-
-### In this section
-
-Topic | Description
-:---|:---
-[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
-[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender for Endpoint **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices.
-[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.
-[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
deleted file mode 100644
index f312b2554c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Create and manage roles for role-based access control
-description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender Security Center
-keywords: user roles, roles, access rbac
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Create and manage roles for role-based access control
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Create roles and assign the role to an Azure Active Directory group
-
-The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select **Add item**.
-
-4. Enter the role name, description, and permissions you'd like to assign to the role.
-
-5. Select **Next** to assign the role to an Azure AD Security group.
-
-6. Use the filter to select the Azure AD group that you'd like to add to this role to.
-
-7. **Save and close**.
-
-8. Apply the configuration settings.
-
-> [!IMPORTANT]
-> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
-
-### Permission options
-
-- **View data**
- - **Security operations** - View all security operations data in the portal
- - **Threat and vulnerability management** - View threat and vulnerability management data in the portal
-
-- **Active remediation actions**
- - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
- - **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- - **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
-
-- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
-
-- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
-
- > [!NOTE]
- > This setting is only available in the Microsoft Defender for Endpoint administrator (default) role.
-
-- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
-
-- **Live response capabilities**
- - **Basic** commands:
- - Start a live response session
- - Perform read only live response commands on remote device (excluding file copy and execution
- - **Advanced** commands:
- - Download a file from the remote device via live response
- - Download PE and non-PE files from the file page
- - Upload a file to the remote device
- - View a script from the files library
- - Execute a script on the remote device from the files library
-
-For more information on the available commands, see [Investigate devices using Live response](live-response.md).
-
-## Edit roles
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select the role you'd like to edit.
-
-4. Click **Edit**.
-
-5. Modify the details or the groups that are assigned to the role.
-
-6. Click **Save and close**.
-
-## Delete roles
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select the role you'd like to delete.
-
-4. Click the drop-down button and select **Delete role**.
-
-## Related topic
-
-- [User basic permissions to access the portal](basic-permissions.md)
-- [Create and manage device groups](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
deleted file mode 100644
index ed14562c20..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: User resource type
-description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to users.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# User resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-Method|Return Type |Description
-:---|:---|:---
-[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md).
-[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
deleted file mode 100644
index 887ca33b19..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: View and organize the Incidents queue
-ms.reviewer:
-description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-keywords: view, organize, incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# View and organize the Microsoft Defender for Endpoint Incidents queue
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-
-The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-
-By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
-
-There are several options you can choose from to customize the Incidents queue view.
-
-On the top navigation you can:
-- Customize columns to add or remove columns
-- Modify the number of items to view per page
-- Select the items to show per page
-- Batch-select the incidents to assign
-- Navigate between pages
-- Apply filters
-
-
-
-## Sort and filter the incidents queue
-You can apply the following filters to limit the list of incidents and get a more focused view.
-
-### Severity
-
-Incident severity | Description
-:---|:---
-High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
-Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational (Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
-
-## Assigned to
-You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
-
-### Category
-Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-
-### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
-
-### Data sensitivity
-Use this filter to show incidents that contain sensitivity labels.
-
-## Incident naming
-
-To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
-
-For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
-
-> [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-
-
-## See also
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [Manage incidents](manage-incidents.md)
-- [Investigate incidents](investigate-incidents.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
deleted file mode 100644
index fa32bd8294..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Vulnerability resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
deleted file mode 100644
index 2fcb052cc9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Web content filtering
-description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories.
-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!IMPORTANT]
-> **Web content filtering is currently in public preview**
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Microsoft Defender for Endpoint preview features](preview.md).
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-
-Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
-
-Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section.
-
-Summarizing the benefits:
-
-- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender for Endpoint role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
-- Access web reports in the same central location, with visibility over actual blocks and web usage
-
-## User experience
-
-The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
-
-For a more user-friendly in-browser experience, consider using Microsoft Edge.
-
-## Prerequisites
-
-Before trying out this feature, make sure you have the following requirements:
-
-- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
-- Access to Microsoft Defender Security Center portal
-- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-
-If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled.
-
-## Data handling
-
-We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers.
-
-## Turn on web content filtering
-
-From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
-
-### Configure web content filtering policies
-
-Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
-
-Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups.
-
-### Create a policy
-
-To add a new policy:
-
-1. Select **Add policy** on the **Web content filtering** page in **Settings**.
-2. Specify a name.
-3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
-4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
-5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices.
-
-Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
-
->[!NOTE]
->If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
-
->[!IMPORTANT]
->Blocking the "Uncategorized" category may lead to unexpected and undesired results.
-
-### Allow specific websites
-
-It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
-
-1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
-2. Enter the domain of the site
-3. Set the policy action to **Allow**.
-
-## Web content filtering cards and details
-
-Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
-
-### Web activity by category
-
-This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
-
-In the first 30 days of using this feature, your organization might not have enough data to display this information.
-
-
-
-### Web content filtering summary card
-
-This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
-
-
-
-### Web activity summary card
-
-This card displays the total number of requests for web content in all URLs.
-
-
-
-### View card details
-
-You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups.
-
-
-
-- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
-
-- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
-
-- **Device groups**: Lists all the device groups that have generated web activity in your organization
-
-Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
-
-## Errors and issues
-
-### Limitations and known issues in this preview
-
-- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers.
-
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
-
-## Related topics
-
-- [Web protection overview](web-protection-overview.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
deleted file mode 100644
index 835cbc6860..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Monitoring web browsing security in Microsoft Defender ATP
-description: Use web protection in Microsoft Defender ATP to monitor web browsing security
-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Monitor web browsing security
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
-
-- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
-
- 
-
-- **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
-
- 
-
->[!Note]
->It can take up to 12 hours before a block is reflected in the cards or the domain list.
-
-## Types of web threats
-
-Web protection categorizes malicious and unwanted websites as:
-
-- **Phishing** - websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information
-- **Malicious** - websites that host malware and exploit code
-- **Custom indicator** - websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
-
-## View the domain list
-
-Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page. This page displays the list of the domains under that threat category. The page provides the following information for each domain:
-
-- **Access count** - number of requests for URLs in the domain
-- **Blocks** - number of times requests were blocked
-- **Access trend** - change in number of access attempts
-- **Threat category** - type of web threat
-- **Devices** - number of devices with access attempts
-
-Select a domain to view the list of devices that have attempted to access URLs in that domain and the list of URLs.
-
-## Related topics
-
-- [Web protection overview](web-protection-overview.md)
-- [Web content filtering](web-content-filtering.md)
-- [Web threat protection](web-threat-protection.md)
-- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
deleted file mode 100644
index 052d013832..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Web protection
-description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Web protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
-
-
-
-## Web threat protection
-
-The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**.
-
-Web threat protection includes:
-- Comprehensive visibility into web threats affecting your organization
-- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the devices that access these URLs
-- A full set of security features that track general access trends to malicious and unwanted websites
-
-## Web content filtering
-
-The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
-
-Web content filtering includes:
-- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
-- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender for Endpoint role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
-- You can access web reports in the same central location, with visibility over actual blocks and web usage
-
-## In this section
-
-Topic | Description
-:---|:---
-[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked.
-[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
deleted file mode 100644
index 3abe8edad9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Respond to web threats in Microsoft Defender ATP
-description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
-keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Respond to web threats
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection in Microsoft Defender for Endpoint lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
-
-## View web threat alerts
-Microsoft Defender for Endpoint generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity:
-- **Suspicious connection blocked by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode
-- **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode
-
-Each alert provides the following information:
-- Device that attempted to access the blocked website
-- Application or program used to send the web request
-- Malicious URL or URL in the custom indicator list
-- Recommended actions for responders
-
-
-
->[!Note]
->To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
-
-## Inspect website details
-You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including:
-- Devices that attempted to access website
-- Incidents and alerts related to the website
-- How frequent the website was seen in events in your organization
-
- 
-
-[Learn more about URL or domain entity pages](investigate-domain.md)
-
-## Inspect the device
-You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device.
-
-[Learn more about device entity pages](investigate-machines.md)
-
-## Web browser and Windows notifications for end users
-
-With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.
-
-
-*Web threat blocked on Microsoft Edge*
-
-
-*Web threat blocked on Chrome*
-
-## Related topics
-- [Web protection overview](web-protection-overview.md)
-- [Web content filtering](web-content-filtering.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
deleted file mode 100644
index 77a0809bf4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Protect your organization against web threats
-description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Protect your organization against web threats
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
-
->[!Note]
->It can take up to an hour for devices to receive new customer indicators.
-
-## Prerequisites
-Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
-
-To turn on network protection on your devices:
-- Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline)
-- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
-
->[!Note]
->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
-
-## Related topics
-
-- [Web protection overview](web-protection-overview.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
-- [Network protection](network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
deleted file mode 100644
index 1eb35c6079..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ /dev/null
@@ -1,208 +0,0 @@
----
-title: What's new in Microsoft Defender ATP
-description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server.
-keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
- - m365-security-compliance
- - m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.technology: mde
----
-
-# What's new in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-The following features are generally available (GA) in the latest release of Microsoft Defender for Endpoint as well as security features in Windows 10 and Windows Server.
-
-For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
-
-
-> [!TIP]
-> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
->
-> ```https
-> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
-> ```
-
-
-## January 2021
-
-- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop.
-
-## December 2020
-- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md)
Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.
-
-## September 2020
-- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Android.
-- [Threat and vulnerability management macOS support](tvm-supported-os.md)
Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
-
-
-## August 2020
-- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android.
-
-
-## July 2020
-- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
-
-## June 2020
-- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender for Endpoint now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Linux.
-
-- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-
-
-## April 2020
-
-- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-
-## November-December 2019
-
-- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
-
-- [Threat & Vulnerability Management application and application version end-of-life information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
-
-- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
-
- - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
-
-- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
-
-## October 2019
-
-- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
You can now allow or block URLs/domains using your own threat intelligence.
-
-
-- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
-
-- [Connected Azure AD applications](connected-applications.md)
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.
-
-- [API Explorer](api-explorer.md)
The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender for Endpoint API endpoint.
-
-
-## September 2019
-
-- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
-
-- [Live response](live-response.md)
Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
-
-- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can
- focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
-
-- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
-
-
-## June 2019
-
-- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-- [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization.
-
-## May 2019
-
-- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization.
-
-
-- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
APIs for indicators are now generally available.
-
-
-- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-
-
-## April 2019
-- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification)
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
-
-- [Microsoft Defender for Endpoint API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.
-
-
-
-## February 2019
-- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
-
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-
-
-## October 2018
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019.
-
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019.
-
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
-
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
-
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-
-- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
-
-- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
iOS and Android devices are now supported and can be onboarded to the service.
-
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
-Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
-- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- - Block Adobe Reader from creating child processes
- - Block Office communication application from creating child processes.
-
-- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
-
-
-
-## March 2018
-- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-Query data using advanced hunting in Microsoft Defender for Endpoint.
-
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- New attack surface reduction rules:
- - Use advanced protection against ransomware
- - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- - Block process creations originating from PSExec and WMI commands
- - Block untrusted and unsigned processes that run from USB
- - Block executable content from email client and webmail
-
-- [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
Use Automated investigations to investigate and remediate threats.
-
- >[!NOTE]
- >Available from Windows 10, version 1803 or later.
-
-- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data.
-
-- [Microsoft Defender for Endpoint Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
- The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
-
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
-You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
-
-- [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
- Microsoft Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
-
-- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
- Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
-
-
-- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
-Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
-
- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index ace344e032..022c938160 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -26,7 +26,7 @@ See [Windows 10 (and later) settings to protect devices using Intune](https://do
## Group Policy settings
-SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
+SmartScreen uses registry-based Administrative Template policy settings.
