From 8717b9f7bab9fc6ae2b3c19a35d3a1f385e5793a Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Sun, 29 Jul 2018 00:43:14 -0700
Subject: [PATCH 01/31] update yaml to remove table

---
 windows/security/index.yml | 62 +++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 25 deletions(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index 05c303413e..e2e61a742b 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -16,9 +16,9 @@ metadata:
 
   ms.localizationpriority: high
 
-  author: brianlic-msft
+  author: mjcaparas
 
-  ms.author: brianlic
+  ms.author: macapara
 
   manager: brianlic
 
@@ -58,16 +58,6 @@ sections:
 
       title: Identity and access management
 
-    - href: \windows\security\threat-protection\
-
-      html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
-
-      image:
-
-        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
-      title: Threat protection
-
     - href: \windows\security\information-protection\
 
       html: <p>Identify and secure critical data to prevent data loss</p>
@@ -78,17 +68,39 @@ sections:
 
       title: Information protection
 
-- title: Windows Defender Advanced Threat Protection
+
+    - href: \windows\security\hardware-protection\
+
+      html: <p>Protect and maintain system integrity</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
+
+      title: Hardware-based protection
+
+- title:
+
   items:
-  - type: markdown
-    text: "
-      Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
-      <br>&nbsp;<br>
-      <table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
-      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
-      <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
-      <td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
-      <td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
-      <td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
-      </tr>
-      </table>"
\ No newline at end of file
+
+   - type: list
+
+    style: cards
+
+    className: cardsM
+
+    columns: 3
+
+    items:
+
+      - href: \windows\security\threat-protection\
+
+      html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
+
+      title: Threat protection
+
+    

From 139d9e008f096c9d3ebbb0294a27c2ee6c16234b Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Sun, 29 Jul 2018 14:38:11 +0300
Subject: [PATCH 02/31] update yml

---
 windows/security/index.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index e2e61a742b..e40423177f 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -79,7 +79,7 @@ sections:
 
       title: Hardware-based protection
 
-- title:
+- title: Second row
 
   items:
 

From 7cd7e470d32bef451ea0cc2306eb1df3a4db2b19 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Sun, 29 Jul 2018 15:36:17 +0300
Subject: [PATCH 03/31] fix indent

---
 windows/security/index.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index e40423177f..5d351f78d0 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -95,9 +95,9 @@ sections:
 
       - href: \windows\security\threat-protection\
 
-      html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
+		html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
 
-      image:
+		image:
 
         src: https://docs.microsoft.com/media/common/i_threat-protection.svg
 

From 9e76a1ede38c46f0f59f7d8c2e2e909b07f56b63 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 11:56:35 +0300
Subject: [PATCH 04/31] new toc

---
 windows/security/threat-protection/TOC.md     | 561 +++++++++++-------
 .../security/threat-protection/faketopic.md   |   0
 2 files changed, 331 insertions(+), 230 deletions(-)
 create mode 100644 windows/security/threat-protection/faketopic.md

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index b7ac65f33b..7f03f1788c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,14 +6,28 @@
 
 
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
-### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
-####Get started
+
+### [Get started](fake2.md)
 ##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
 ##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
 ##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
 ##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+
+##### [Evaluate WDATP](evaluate.md)
+###### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+###### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+###### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+###### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+###### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+###### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+###### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+
+
+
+
+### [Onboard and configure](onboard.md)
 #### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
 ##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -29,146 +43,91 @@
 ##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+####[Configure ASR](configure1.md)
+
+
+
+
+#### [Configure NGP](configure2.md)
+##### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+###### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+###### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+####### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+###### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+####### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+######## [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+####### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+######## [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+####### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+######## [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+######## [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+######## [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+######## [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+######## [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
+
+##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+
+####[Configure AutoIR](configure3.md)
+
+
+####[Configure Settings](configure4.md)
+
+
+
+
+
+
+
+### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
+#### [Understand the portal / Windows Defender Security Center ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
 ##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
 ##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+
 ##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
-####Investigate and remediate threats
-#####Alerts queue
-###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
-###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
-###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
-###### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
-###### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
-###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
-###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
-###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
 
 
 
 
-#####Machines list
-###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-####### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-####### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-####### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 
 
-##### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
-###### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-####### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-####### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-####### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-####### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-
-###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-####### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
 ###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
 ####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
 ####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
-#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
-####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+
+
 
 ####API and SIEM support
-##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
-###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
-###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
-###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
-
-##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
-###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
-###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
-###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
-###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-#######Actor
-######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#######Alerts
-######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-########Domain
-#########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-#######File
-######## [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-######## [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-#######IP
-######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#######Machines
-######## [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-######## [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-######## [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-######## [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-######## [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-######## [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-######## [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-######## [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-######## [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-######## [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-######## [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-######## [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
 
-#######User
-######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
 ####Reporting
-##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+
 
 ####Check service health and sensor state
 ##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
@@ -187,9 +146,7 @@
 ###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
 
 
-#####Permissions
-###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+
 
 #####APIs
 ###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
@@ -212,129 +169,273 @@
 ##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
 
-###	[Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+
+### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+
+#### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+
+
+#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+
+##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+
+##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+
+##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+
+##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+
+### [Next gen protection](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+
+
+
+### [EDR](faketopic.md)
+####Alerts queue
+##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
+
+####Machines list
+##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+
+#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+
+##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+###### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+###### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+
+
+
+### [Automatic investigation and remediation](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+
+
+### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+
+
+### [Managment and APIs](management-apis.md)
+#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain
+########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP
+####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+######User
+####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+
+#### [Reporting](reporting.md)
+##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+#### [Permissions](permissions.md)
+##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+
+
+
+### [Microsoft threat protection - need to make new page - put anchors inside for each integ](integration.md)
+####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### [Troubleshoot everything](troubleshoot.md)
+#### [Review event logs and error codes to troubleshoot issues](windows-demanagement and apisfender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+----------------------
+
+
 #### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-
-#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
 
 
-#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
 
 
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-
-#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
 ##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
 ###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
 ###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
 ###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
 
 
-#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-
-
-##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
-
-
-
-##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
 ### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
-#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+
 ##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
-#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
-##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+
 ##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
 ###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
-#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
-#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-
-
-
-
-### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
-
-
-
-
-
-
-### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
-#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
 
 
 ## Other security features
diff --git a/windows/security/threat-protection/faketopic.md b/windows/security/threat-protection/faketopic.md
new file mode 100644
index 0000000000..e69de29bb2

From 2ef592547e04f91af3d8d9142e7d038797b11ef5 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 11:59:54 +0300
Subject: [PATCH 05/31] add topics

---
 windows/security/threat-protection/integration.md                | 0
 windows/security/threat-protection/management-apis.md            | 0
 windows/security/threat-protection/onboard.md                    | 0
 windows/security/threat-protection/troubleshoot.md               | 0
 windows/security/threat-protection/windows-defender-atp/fake2.md | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 windows/security/threat-protection/integration.md
 create mode 100644 windows/security/threat-protection/management-apis.md
 create mode 100644 windows/security/threat-protection/onboard.md
 create mode 100644 windows/security/threat-protection/troubleshoot.md
 create mode 100644 windows/security/threat-protection/windows-defender-atp/fake2.md

diff --git a/windows/security/threat-protection/integration.md b/windows/security/threat-protection/integration.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/management-apis.md b/windows/security/threat-protection/management-apis.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/onboard.md b/windows/security/threat-protection/onboard.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/troubleshoot.md b/windows/security/threat-protection/troubleshoot.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/windows-defender-atp/fake2.md b/windows/security/threat-protection/windows-defender-atp/fake2.md
new file mode 100644
index 0000000000..e69de29bb2

From 9206b8a59c9742e87be7e37dcd3448c85dbf9882 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 13:20:37 +0300
Subject: [PATCH 06/31] fix yaml

---
 windows/security/index.yml | 62 +++++++++++++++-----------------------
 1 file changed, 25 insertions(+), 37 deletions(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index 5d351f78d0..05c303413e 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -16,9 +16,9 @@ metadata:
 
   ms.localizationpriority: high
 
-  author: mjcaparas
+  author: brianlic-msft
 
-  ms.author: macapara
+  ms.author: brianlic
 
   manager: brianlic
 
@@ -58,6 +58,16 @@ sections:
 
       title: Identity and access management
 
+    - href: \windows\security\threat-protection\
+
+      html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
+
+      title: Threat protection
+
     - href: \windows\security\information-protection\
 
       html: <p>Identify and secure critical data to prevent data loss</p>
@@ -68,39 +78,17 @@ sections:
 
       title: Information protection
 
-
-    - href: \windows\security\hardware-protection\
-
-      html: <p>Protect and maintain system integrity</p>
-
-      image:
-
-        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
-      title: Hardware-based protection
-
-- title: Second row
-
+- title: Windows Defender Advanced Threat Protection
   items:
-
-   - type: list
-
-    style: cards
-
-    className: cardsM
-
-    columns: 3
-
-    items:
-
-      - href: \windows\security\threat-protection\
-
-		html: <p>Stop cyberthreats and quickly identify and respond to breaches</p>
-
-		image:
-
-        src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
-      title: Threat protection
-
-    
+  - type: markdown
+    text: "
+      Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
+      <br>&nbsp;<br>
+      <table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
+      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
+      <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
+      <td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
+      <td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
+      <td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
+      </tr>
+      </table>"
\ No newline at end of file

From 3133b5ce81074ff3f5bdf195c2b0af91734a4e3f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 13:24:03 +0300
Subject: [PATCH 07/31] fix toc

---
 windows/security/threat-protection/TOC.md | 28 +++++++++++------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7f03f1788c..63eb1b04ad 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -8,21 +8,21 @@
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
 
 ### [Get started](fake2.md)
-##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-##### [Evaluate WDATP](evaluate.md)
-###### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-###### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-###### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-###### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-###### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
-###### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-###### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [Evaluate WDATP](evaluate.md)
+##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+##### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
 
 
 

From 02cde9e3c0cfccd2f80056d1c99e55c9ec89effd Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 13:49:56 +0300
Subject: [PATCH 08/31] fixes

---
 windows/security/threat-protection/TOC.md | 110 ++++++++++++----------
 1 file changed, 58 insertions(+), 52 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 63eb1b04ad..ddf5ef420a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -92,52 +92,8 @@
 ####[Configure AutoIR](configure3.md)
 
 
-####[Configure Settings](configure4.md)
 
-
-
-
-
-
-
-### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
-#### [Understand the portal / Windows Defender Security Center ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-
-##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-
-
-
-
-
-
-
-
-###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
-
-
-
-####API and SIEM support
-
-
-
-
-####Reporting
-
-
-####Check service health and sensor state
-##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-
-
-####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#### [Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
 #####General
 ###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
 ###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
@@ -162,12 +118,50 @@
 ###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
 ###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
 
-#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+
+
+
+
+### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
+#### [Understand the portal / Windows Defender Security Center ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+
+##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+##### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
+
+
+
+####API and SIEM support
+
+
+
+
+####Reporting
+
+
+
+
+
+
+
+
+
+
+
 
-#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
 
 
 ### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
@@ -387,6 +381,15 @@
 ### [Troubleshoot everything](troubleshoot.md)
 #### [Review event logs and error codes to troubleshoot issues](windows-demanagement and apisfender-antivirus\troubleshoot-windows-defender-antivirus.md)
 
+####[Check service health and sensor state](troubleshoot-sense.md) 
+##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
+#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 
 
 
@@ -413,8 +416,6 @@
 
 
 
-
-----------------------
 
 
 #### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
@@ -438,6 +439,11 @@
 ###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
 
 
+
+#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+
+
 ## Other security features
 ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
 #### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)

From 0e45b69d1373605dc3d56c477062d67e605be19e Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 14:06:06 +0300
Subject: [PATCH 09/31] removed dont know

---
 windows/security/threat-protection/TOC.md | 37 -----------------------
 1 file changed, 37 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index ddf5ef420a..fbd3d8e0ab 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -407,43 +407,6 @@
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-
-
-
-
-##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
-###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
-###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
-###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
-
-
-### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
-
-##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
-
-
-##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
-###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
-
-
-
-#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
-
-
-
 ## Other security features
 ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
 #### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)

From 646dff2c6250e83a3e3f828229096251ef18e0a3 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 14:31:41 +0300
Subject: [PATCH 10/31] fix errors

---
 windows/security/threat-protection/TOC.md                | 2 +-
 windows/security/threat-protection/configure1.md         | 0
 windows/security/threat-protection/configure2.md         | 0
 windows/security/threat-protection/configure3.md         | 0
 windows/security/threat-protection/evaluate.md           | 0
 windows/security/threat-protection/fake2.md              | 0
 windows/security/threat-protection/permissions.md        | 0
 windows/security/threat-protection/reporting.md          | 0
 windows/security/threat-protection/troubleshoot-sense.md | 0
 9 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 windows/security/threat-protection/configure1.md
 create mode 100644 windows/security/threat-protection/configure2.md
 create mode 100644 windows/security/threat-protection/configure3.md
 create mode 100644 windows/security/threat-protection/evaluate.md
 create mode 100644 windows/security/threat-protection/fake2.md
 create mode 100644 windows/security/threat-protection/permissions.md
 create mode 100644 windows/security/threat-protection/reporting.md
 create mode 100644 windows/security/threat-protection/troubleshoot-sense.md

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index fbd3d8e0ab..af377a1af5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -379,7 +379,7 @@
 
 
 ### [Troubleshoot everything](troubleshoot.md)
-#### [Review event logs and error codes to troubleshoot issues](windows-demanagement and apisfender-antivirus\troubleshoot-windows-defender-antivirus.md)
+#### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
 
 ####[Check service health and sensor state](troubleshoot-sense.md) 
 ##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/configure1.md b/windows/security/threat-protection/configure1.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/configure2.md b/windows/security/threat-protection/configure2.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/configure3.md b/windows/security/threat-protection/configure3.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/evaluate.md b/windows/security/threat-protection/evaluate.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/fake2.md b/windows/security/threat-protection/fake2.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/permissions.md b/windows/security/threat-protection/permissions.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/reporting.md b/windows/security/threat-protection/reporting.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/windows/security/threat-protection/troubleshoot-sense.md b/windows/security/threat-protection/troubleshoot-sense.md
new file mode 100644
index 0000000000..e69de29bb2

From 4556fc3337b45298074583f59947ffcb23c87431 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 14:51:23 +0300
Subject: [PATCH 11/31] moved advanced hunting

---
 windows/security/threat-protection/TOC.md | 25 ++++-------------------
 1 file changed, 4 insertions(+), 21 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index af377a1af5..7d0397e3c6 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -137,27 +137,6 @@
 
 
 
-###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
-
-
-
-####API and SIEM support
-
-
-
-
-####Reporting
-
-
-
-
-
-
-
-
 
 
 
@@ -255,6 +234,10 @@
 
 
 
+#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
 
 ### [Automatic investigation and remediation](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
 

From 135ca4348327f7f394119f596c317c4c21a11a37 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 30 Jul 2018 15:08:22 +0300
Subject: [PATCH 12/31] updates

---
 windows/security/threat-protection/TOC.md | 37 +++++++++++------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7d0397e3c6..a2056d0d86 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -48,23 +48,22 @@
 
 
 
-#### [Configure NGP](configure2.md)
-##### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-###### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-###### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-####### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+#### [Configure NGP](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
 
-###### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-####### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-######## [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-####### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-######## [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-####### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-######## [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-######## [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-######## [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-######## [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-######## [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+##### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+###### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+####### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+###### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+####### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+###### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+####### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+####### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 
 ##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
@@ -78,7 +77,6 @@
 ###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
 ###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
 ##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-
 ##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
 ###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
 ###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
@@ -89,11 +87,12 @@
 
 
 
-####[Configure AutoIR](configure3.md)
+
+####[Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
 
 
 
-#### [Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
 #####General
 ###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
 ###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)

From 85e6d7b2515c69f3efd92516728f4feb917150e6 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 11:01:03 +0300
Subject: [PATCH 13/31] new changes

---
 windows/security/index.yml                    |  2 +-
 windows/security/threat-protection/TOC.md     | 72 ++++++++++---------
 .../security/threat-protection/configure1.md  | 16 +++++
 .../security/threat-protection/configure3.md  | 18 +++++
 .../security/threat-protection/integration.md | 20 ++++++
 .../threat-protection/management-apis.md      | 26 +++++++
 windows/security/threat-protection/onboard.md | 16 +++++
 .../threat-protection/troubleshoot-sense.md   | 18 +++++
 ...ows-defender-advanced-threat-protection.md |  2 +-
 ...ows-defender-advanced-threat-protection.md |  6 +-
 ...ows-defender-advanced-threat-protection.md |  2 +-
 11 files changed, 161 insertions(+), 37 deletions(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index 05c303413e..c06e4aad88 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -85,7 +85,7 @@ sections:
       Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
       <br>&nbsp;<br>
       <table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
-      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
+      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
       <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
       <td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
       <td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a2056d0d86..2340e23606 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -15,20 +15,20 @@
 #### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-#### [Evaluate WDATP](evaluate.md)
-##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+#### [Evaluate Windows Defender ATP](evaluate.md)
+##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 ##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 ##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
 ##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
 ##### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
 ##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
 
 
 
-
-### [Onboard and configure](onboard.md)
-#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+### [Onboard and configure machines to Windows Defender ATP](onboard.md)
+#### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
 ##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
 ###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
@@ -43,12 +43,21 @@
 ##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+
+
+
 ####[Configure ASR](configure1.md)
+##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
 
 
 
 
-#### [Configure NGP](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+
+
+#### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
 ##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
 ###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
@@ -88,7 +97,7 @@
 
 
 
-####[Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+#### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
 
 
 
@@ -122,13 +131,11 @@
 
 
 
-### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
-#### [Understand the portal / Windows Defender Security Center ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
-##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-##### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
 
 
 
@@ -142,21 +149,16 @@
 
 
 
-### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+### [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
 #### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
 ##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-
 #### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
 
 
-#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
 ##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
 
-##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+##### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
 ##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
 ###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 
@@ -175,7 +177,7 @@
 ##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
 ##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
 
-### [Next gen protection](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+### [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
 #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
 ##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
@@ -188,7 +190,7 @@
 
 
 
-### [EDR](faketopic.md)
+### [Endpoint detection and response - Tomer B.](faketopic.md)
 ####Alerts queue
 ##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -238,13 +240,16 @@
 ##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
 
-### [Automatic investigation and remediation](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+### [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
 
 
-### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+###Security posture
+#### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
 
-### [Managment and APIs](management-apis.md)
+
+### [Management and APIs](management-apis.md)
 #### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
 ##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
@@ -336,7 +341,7 @@
 
 
 
-### [Microsoft threat protection - need to make new page - put anchors inside for each integ](integration.md)
+### [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
 ####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
 
 
@@ -360,18 +365,19 @@
 
 
 
-### [Troubleshoot everything](troubleshoot.md)
-#### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+###Troubleshoot Windows Defender ATP
+#### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
 
-####[Check service health and sensor state](troubleshoot-sense.md) 
+####Troubleshoot sensor state - Ask Heike name of sensor
 ##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
 ##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
 ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
 ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 
 #### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
 
 
 
diff --git a/windows/security/threat-protection/configure1.md b/windows/security/threat-protection/configure1.md
index e69de29bb2..37062fcdb7 100644
--- a/windows/security/threat-protection/configure1.md
+++ b/windows/security/threat-protection/configure1.md
@@ -0,0 +1,16 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# To do: Amitai and Andrea and Justin
diff --git a/windows/security/threat-protection/configure3.md b/windows/security/threat-protection/configure3.md
index e69de29bb2..ecfb414741 100644
--- a/windows/security/threat-protection/configure3.md
+++ b/windows/security/threat-protection/configure3.md
@@ -0,0 +1,18 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# TO do: Benny and joey to write this topic
+
+You can configure it through the portal, see Settings
\ No newline at end of file
diff --git a/windows/security/threat-protection/integration.md b/windows/security/threat-protection/integration.md
index e69de29bb2..6c22bd96e1 100644
--- a/windows/security/threat-protection/integration.md
+++ b/windows/security/threat-protection/integration.md
@@ -0,0 +1,20 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# TO do: Heike, Alon, or Raviv
+
+These are all the products that WDATP integrates with then link to their documentation.
+
+Have links to the different configuration settings and put links there.
\ No newline at end of file
diff --git a/windows/security/threat-protection/management-apis.md b/windows/security/threat-protection/management-apis.md
index e69de29bb2..44ff4dfc98 100644
--- a/windows/security/threat-protection/management-apis.md
+++ b/windows/security/threat-protection/management-apis.md
@@ -0,0 +1,26 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# To do: Raviv 
+
+Talk about all the tools that you can use with WDATP 
+
+OR one liner
+
+wdatp allows you to interact with the platform and other systems
+
+enable to manage and interact with the system
+
+APIs, SIEM connectors, Reporting, powerbi, etc
\ No newline at end of file
diff --git a/windows/security/threat-protection/onboard.md b/windows/security/threat-protection/onboard.md
index e69de29bb2..f9ac29a1f8 100644
--- a/windows/security/threat-protection/onboard.md
+++ b/windows/security/threat-protection/onboard.md
@@ -0,0 +1,16 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# TO do: naama and joey to write this topic
\ No newline at end of file
diff --git a/windows/security/threat-protection/troubleshoot-sense.md b/windows/security/threat-protection/troubleshoot-sense.md
index e69de29bb2..bcc523b5a6 100644
--- a/windows/security/threat-protection/troubleshoot-sense.md
+++ b/windows/security/threat-protection/troubleshoot-sense.md
@@ -0,0 +1,18 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# TO do: Heike
+
+What do you want to call sense 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index a59d266c4b..3d8ae4ab64 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,7 @@ ms.date: 05/21/2018
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
+BENNY: look at this page and see if there are "settings/ configurations" if yes, point them to the settings page and remove it from here.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 97d408e645..3c6c0f6222 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -18,7 +18,11 @@ ms.date: 07/01/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You need to onboard machines to Windows Defender ATP before you can use the service.
+You need to turn on the sensor to give visibility within Windows Defender ATP.
+
+JOEY: LOOK INTO THIS AGAIN - REVISE
+OWNER: NAAMA
+
 
 For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 769e84dfb8..da8569a91a 100644
--- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -32,7 +32,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable
 
 Topic | Description
 :---|:---
-[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
+General settings | Modify your general settings that were previously defined as part of the onboarding process.
 Permissions | Manage portal access using RBAC as well as machine groups.
 APIs | Enable the threat intel and SIEM integration.
 Rules | Configure suppressions rules and automation settings.

From 55a8cb56299083592c2852588e3541193d0ff4a8 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 13:26:16 +0300
Subject: [PATCH 14/31] new toc

---
 .../windows-defender-atp/TOC.md               | 1112 ++++++++++++++---
 1 file changed, 938 insertions(+), 174 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 193fddfef8..7122f7a162 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,203 +1,967 @@
-# [Windows Defender Security Center](windows-defender-security-center-atp.md)
-##Get started
-### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
-## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
-### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
-### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune)
-#### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
-### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
-### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-## [Understand the portal](use-windows-defender-advanced-threat-protection.md)
-### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+# [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
 
-##Investigate and remediate threats
+## [Get started](fake2.md)
+### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+
+### [Evaluate Windows Defender ATP](evaluate.md)
+#### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+#### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+
+
+
+## [Onboard and configure machines to Windows Defender ATP](onboard.md)
+### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
+#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+
+
+
+###[Configure ASR](configure1.md)
+#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+
+
+
+
+
+
+### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
+#### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+
+
+### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+
+
+
+### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+####General
+##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+##### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
+##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+
+
+
+
+####APIs
+##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+####Rules
+##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
+####Machine management
+##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+
+#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+
+
+
+
+## [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+
+### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+
+
+### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+
+#### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+
+#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+
+#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+
+## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+#### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+#### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+#### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+
+
+
+## [Endpoint detection and response - Tomer B.](faketopic.md)
 ###Alerts queue
-#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
-
-
-
+#### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
 
 ###Machines list
-#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+#### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+#### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+#### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+##### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+##### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+##### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+##### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 
 
-### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
-#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
-##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+#### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+##### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+##### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+##### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+##### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+##### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+##### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+##### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 
-### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+#### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
+##### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+##### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+##### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+##### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+##### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+##### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+##### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+##### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
-## [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md)
 
-## [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
-##API and SIEM support
-### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
+
+## [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+
+
+##Security posture
+### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+
+
+## [Management and APIs](management-apis.md)
+### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
 #####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
 #####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-#####Domain
-######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+###### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain
+#######  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
 #####File
-###### [Block file](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file](unblock-file-windows-defender-advanced-threat-protection.md)
+###### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+###### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
 
 #####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+###### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
 #####Machines
-###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
 
 #####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-##Reporting
-### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-
-##Check service health and sensor state
-### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
-### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
-## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
-
-###General
-#### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
-#### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
-#### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-#### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
-#### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+###### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
 
-###Permissions
-#### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
-#### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
 
-###APIs
-#### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 
-###Rules
-#### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-#### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-#### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-#### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 
-###Machine management
-#### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
+### [Reporting](reporting.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
 
-## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+### [Permissions](permissions.md)
+#### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+#### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
 
-## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
-## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
-### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 
+
+## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
+###  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##Troubleshoot Windows Defender ATP
+### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+###Troubleshoot sensor state - Ask Heike name of sensor
+#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+#### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+#### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+
+### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Other security features
+## [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
+### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
+### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
+### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
+### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
+### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
+### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+### [Device security](windows-defender-security-center\wdsc-device-security.md)
+### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
+
+
+## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+
+
+## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+
+## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+## [Security auditing](auditing/security-auditing-overview.md)
+
+### [Basic security audit policies](auditing/basic-security-audit-policies.md)
+#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
+#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
+#### [View the security event log](auditing/view-the-security-event-log.md)
+
+#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
+##### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
+##### [Audit account management](auditing/basic-audit-account-management.md)
+##### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
+##### [Audit logon events](auditing/basic-audit-logon-events.md)
+##### [Audit object access](auditing/basic-audit-object-access.md)
+##### [Audit policy change](auditing/basic-audit-policy-change.md)
+##### [Audit privilege use](auditing/basic-audit-privilege-use.md)
+##### [Audit process tracking](auditing/basic-audit-process-tracking.md)
+##### [Audit system events](auditing/basic-audit-system-events.md)
+
+#### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+
+##### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+###### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+###### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
+###### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
+###### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
+###### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
+###### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
+###### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
+###### [Monitor claim types](auditing/monitor-claim-types.md)
+
+##### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
+###### [Audit Credential Validation](auditing/audit-credential-validation.md)
+###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
+###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
+###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
+###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
+##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
+###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
+###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
+###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
+##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
+###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
+###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
+###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
+##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
+##### [Audit Application Group Management](auditing/audit-application-group-management.md)
+##### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
+###### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
+###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
+###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
+##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
+###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
+###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
+###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
+###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
+###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
+##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
+###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
+##### [Audit Security Group Management](auditing/audit-security-group-management.md)
+###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
+###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
+###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
+###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
+###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
+###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
+##### [Audit User Account Management](auditing/audit-user-account-management.md)
+###### [Event 4720 S: A user account was created.](auditing/event-4720.md)
+###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
+###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
+###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
+###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
+###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
+###### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
+###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
+###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
+###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
+###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
+###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
+###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
+###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
+###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
+###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
+##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
+###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
+###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
+###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
+###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
+##### [Audit PNP Activity](auditing/audit-pnp-activity.md)
+###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
+###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
+###### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
+###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
+###### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
+###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
+###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
+##### [Audit Process Creation](auditing/audit-process-creation.md)
+###### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
+###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
+##### [Audit Process Termination](auditing/audit-process-termination.md)
+###### [Event 4689 S: A process has exited.](auditing/event-4689.md)
+##### [Audit RPC Events](auditing/audit-rpc-events.md)
+###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
+###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
+###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
+###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
+###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
+###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
+###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
+###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
+###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
+##### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
+###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
+###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
+###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
+###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
+###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
+###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
+##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
+###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
+###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
+##### [Audit Account Lockout](auditing/audit-account-lockout.md)
+###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+##### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
+###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
+##### [Audit Group Membership](auditing/audit-group-membership.md)
+###### [Event 4627 S: Group membership information.](auditing/event-4627.md)
+##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
+##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
+##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
+##### [Audit Logoff](auditing/audit-logoff.md)
+###### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
+###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
+##### [Audit Logon](auditing/audit-logon.md)
+###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
+###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
+###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
+##### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
+##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
+###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
+###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
+###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
+###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
+###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
+###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
+###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
+###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
+###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
+###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
+##### [Audit Special Logon](auditing/audit-special-logon.md)
+###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
+###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
+##### [Audit Application Generated](auditing/audit-application-generated.md)
+##### [Audit Certification Services](auditing/audit-certification-services.md)
+##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
+###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
+##### [Audit File Share](auditing/audit-file-share.md)
+###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
+###### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
+###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
+###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
+###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
+##### [Audit File System](auditing/audit-file-system.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Event 5051: A file was virtualized.](auditing/event-5051.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
+###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
+###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
+###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
+###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
+###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
+###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
+###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
+###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
+###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
+##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
+###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
+###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
+##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
+###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
+##### [Audit Kernel Object](auditing/audit-kernel-object.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
+###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
+###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
+###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
+###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
+###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
+###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
+###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
+###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
+###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
+###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
+###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
+###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
+##### [Audit Registry](auditing/audit-registry.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
+###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+##### [Audit Removable Storage](auditing/audit-removable-storage.md)
+##### [Audit SAM](auditing/audit-sam.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
+###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
+##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
+###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
+###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
+###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
+###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
+###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
+###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
+###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
+###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
+###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
+##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
+###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
+###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
+###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
+###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
+###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
+###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
+###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
+###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
+###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
+###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
+###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
+##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
+###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
+###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
+###### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
+###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
+##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
+##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
+###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
+###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
+###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
+###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
+###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
+###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
+###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
+###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
+###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
+###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
+###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
+###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
+###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
+###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
+##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
+###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
+###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
+###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
+###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
+###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
+###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
+###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
+###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
+###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
+###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
+###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
+###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
+###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
+###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
+###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
+###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
+##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
+##### [Audit Other System Events](auditing/audit-other-system-events.md)
+###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
+###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
+###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
+###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
+###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
+###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
+###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
+###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
+###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
+###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
+###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
+###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
+###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
+###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
+###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
+###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
+###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
+###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
+###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
+###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
+###### [Event 6407: 1%.](auditing/event-6407.md)
+###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
+###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
+##### [Audit Security State Change](auditing/audit-security-state-change.md)
+###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
+###### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
+###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
+##### [Audit Security System Extension](auditing/audit-security-system-extension.md)
+###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
+###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
+###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
+###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
+###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
+##### [Audit System Integrity](auditing/audit-system-integrity.md)
+###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
+###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
+###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
+###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
+###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
+###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
+###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
+###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
+###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
+###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
+###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
+###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
+##### [Other Events](auditing/other-events.md)
+###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
+###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
+###### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
+###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
+###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
+##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
+##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+
+
+
+
+
+### [Security policy settings](security-policy-settings/security-policy-settings.md)
+### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
+#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
+### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
+### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
+#### [Account Policies](security-policy-settings/account-policies.md)
+##### [Password Policy](security-policy-settings/password-policy.md)
+###### [Enforce password history](security-policy-settings/enforce-password-history.md)
+###### [Maximum password age](security-policy-settings/maximum-password-age.md)
+###### [Minimum password age](security-policy-settings/minimum-password-age.md)
+###### [Minimum password length](security-policy-settings/minimum-password-length.md)
+###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
+###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
+##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
+###### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
+###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
+###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
+##### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
+###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
+###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
+###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
+###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
+###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
+#### [Audit Policy](security-policy-settings/audit-policy.md)
+#### [Security Options](security-policy-settings/security-options.md)
+##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
+##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
+##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
+##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
+##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
+##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
+##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
+##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
+##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
+##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
+##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
+##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
+##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
+##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
+##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
+##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
+##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
+##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
+##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
+##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
+##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
+##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
+##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
+##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
+##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
+##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
+##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
+##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
+##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
+##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
+##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
+##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
+##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
+##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
+##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
+##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
+##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
+##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
+##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
+##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
+##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
+##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
+##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
+##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
+##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
+##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
+##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
+##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
+##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+#####  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
+##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
+##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
+##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
+##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
+##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
+##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
+##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
+##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
+##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
+##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
+##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
+##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
+##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
+##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
+##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
+##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
+##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
+##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
+##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
+##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
+##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
+##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
+##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
+##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
+##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
+##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
+##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
+##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
+##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
+##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
+##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
+##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
+##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
+##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
+##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
+##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
+##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
+#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
+#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
+##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
+##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
+##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
+##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
+##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
+##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
+##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
+##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
+##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
+##### [Change the system time](security-policy-settings/change-the-system-time.md)
+##### [Change the time zone](security-policy-settings/change-the-time-zone.md)
+##### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
+##### [Create a token object](security-policy-settings/create-a-token-object.md)
+##### [Create global objects](security-policy-settings/create-global-objects.md)
+##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
+##### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
+##### [Debug programs](security-policy-settings/debug-programs.md)
+##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
+##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
+##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
+##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
+##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
+##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
+##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
+##### [Generate security audits](security-policy-settings/generate-security-audits.md)
+##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
+##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
+##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
+##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
+##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
+##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
+##### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
+##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
+##### [Modify an object label](security-policy-settings/modify-an-object-label.md)
+##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
+##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
+##### [Profile single process](security-policy-settings/profile-single-process.md)
+##### [Profile system performance](security-policy-settings/profile-system-performance.md)
+##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
+##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
+##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
+##### [Shut down the system](security-policy-settings/shut-down-the-system.md)
+##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
+##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
+
+
+
+
+
+
+## [Windows security baselines](windows-security-baselines.md)
+## [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+## [Get support](get-support-for-security-baselines.md)
+
+## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
+
+## [Change history for Threat protection](change-history-for-threat-protection.md)

From 85dc378a32dbcca9e2ead9769e16d36ed73a530a Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 14:48:11 +0300
Subject: [PATCH 15/31] fix toc

---
 .../windows-defender-atp/TOC.md               | 824 +++---------------
 1 file changed, 110 insertions(+), 714 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 7122f7a162..eb61137c27 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,14 +1,14 @@
-# [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
+# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
 ## [Get started](fake2.md)
-### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+### [Preview features](preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-### [Evaluate Windows Defender ATP](evaluate.md)
+### [Evaluate Windows Defender ATP](threat-protection\evaluate.md)
 #### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 #### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
@@ -40,7 +40,7 @@
 
 
 
-###[Configure ASR](configure1.md)
+###[Configure Attack surface reduction](configure1.md)
 #### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
 #### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
 #### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
@@ -90,7 +90,7 @@
 
 
 
-### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
 
 
 
@@ -132,16 +132,6 @@
 
 
 
-
-
-
-
-
-
-
-
-
-
 ## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
 ### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
 #### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
@@ -185,46 +175,46 @@
 
 ## [Endpoint detection and response - Tomer B.](faketopic.md)
 ###Alerts queue
-#### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
+#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
 
 ###Machines list
-#### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-#### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-#### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-##### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-##### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 
 
-### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
-#### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-##### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-##### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-##### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-##### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-##### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 
-#### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
-##### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-##### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-##### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-##### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-##### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-##### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-##### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-##### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+##### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+##### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+##### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
 
 
@@ -243,90 +233,90 @@
 
 
 ## [Management and APIs](management-apis.md)
-### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
 #####Actor
-###### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
 #####Alerts
-###### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
 ######Domain
-#######  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+#######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
 #####File
-###### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
 
 #####IP
-###### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
 #####Machines
-###### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
 
 #####User
-###### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
 
 
 
-### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 
 ### [Reporting](reporting.md)
-#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 
 ### [Permissions](permissions.md)
 #### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
@@ -339,23 +329,6 @@
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
 
 
 ##Troubleshoot Windows Defender ATP
@@ -388,580 +361,3 @@
 
 
 
-# Other security features
-## [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
-### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
-### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
-### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
-### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-### [Device security](windows-defender-security-center\wdsc-device-security.md)
-### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-### [Family options](windows-defender-security-center\wdsc-family-options.md)
-
-
-## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
-### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
-
-
-## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-
-## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-
-## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-
-## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-
-## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
-
-## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-
-## [Security auditing](auditing/security-auditing-overview.md)
-
-### [Basic security audit policies](auditing/basic-security-audit-policies.md)
-#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
-#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
-#### [View the security event log](auditing/view-the-security-event-log.md)
-
-#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
-##### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
-##### [Audit account management](auditing/basic-audit-account-management.md)
-##### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
-##### [Audit logon events](auditing/basic-audit-logon-events.md)
-##### [Audit object access](auditing/basic-audit-object-access.md)
-##### [Audit policy change](auditing/basic-audit-policy-change.md)
-##### [Audit privilege use](auditing/basic-audit-privilege-use.md)
-##### [Audit process tracking](auditing/basic-audit-process-tracking.md)
-##### [Audit system events](auditing/basic-audit-system-events.md)
-
-#### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-
-##### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-###### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-###### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
-###### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
-###### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
-###### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
-###### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
-###### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
-###### [Monitor claim types](auditing/monitor-claim-types.md)
-
-##### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
-###### [Audit Credential Validation](auditing/audit-credential-validation.md)
-###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
-###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
-###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
-###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
-##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
-###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
-###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
-###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
-##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
-###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
-###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
-###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
-##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
-##### [Audit Application Group Management](auditing/audit-application-group-management.md)
-##### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
-###### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
-###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
-###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
-##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
-###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
-###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
-###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
-###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
-###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
-##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
-###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
-##### [Audit Security Group Management](auditing/audit-security-group-management.md)
-###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
-###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
-###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
-###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
-###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
-###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
-###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
-##### [Audit User Account Management](auditing/audit-user-account-management.md)
-###### [Event 4720 S: A user account was created.](auditing/event-4720.md)
-###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
-###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
-###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
-###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
-###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
-###### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
-###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
-###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
-###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
-###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
-###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
-###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
-###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
-###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
-###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
-##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
-###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
-###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
-###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
-###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
-##### [Audit PNP Activity](auditing/audit-pnp-activity.md)
-###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
-###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
-###### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
-###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
-###### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
-###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
-###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
-##### [Audit Process Creation](auditing/audit-process-creation.md)
-###### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
-###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
-##### [Audit Process Termination](auditing/audit-process-termination.md)
-###### [Event 4689 S: A process has exited.](auditing/event-4689.md)
-##### [Audit RPC Events](auditing/audit-rpc-events.md)
-###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
-##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
-###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
-###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
-###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
-###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
-###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
-###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
-###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
-###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
-##### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
-###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
-###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
-###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
-###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
-###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
-###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
-##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
-###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
-###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
-##### [Audit Account Lockout](auditing/audit-account-lockout.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-##### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
-###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
-##### [Audit Group Membership](auditing/audit-group-membership.md)
-###### [Event 4627 S: Group membership information.](auditing/event-4627.md)
-##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
-##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
-##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
-##### [Audit Logoff](auditing/audit-logoff.md)
-###### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
-###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
-##### [Audit Logon](auditing/audit-logon.md)
-###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
-###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
-##### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
-##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
-###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
-###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
-###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
-###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
-###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
-###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
-###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
-###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
-###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
-###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
-##### [Audit Special Logon](auditing/audit-special-logon.md)
-###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
-###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
-##### [Audit Application Generated](auditing/audit-application-generated.md)
-##### [Audit Certification Services](auditing/audit-certification-services.md)
-##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
-###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
-##### [Audit File Share](auditing/audit-file-share.md)
-###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
-###### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
-###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
-###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
-###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
-##### [Audit File System](auditing/audit-file-system.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Event 5051: A file was virtualized.](auditing/event-5051.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
-###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
-###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
-###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
-###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
-###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
-###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
-###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
-###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
-###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
-##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
-###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
-###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
-##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
-###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
-##### [Audit Kernel Object](auditing/audit-kernel-object.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
-###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
-###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
-###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
-###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
-###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
-###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
-###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
-###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
-###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
-###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
-###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
-###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
-##### [Audit Registry](auditing/audit-registry.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
-###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Removable Storage](auditing/audit-removable-storage.md)
-##### [Audit SAM](auditing/audit-sam.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
-###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
-##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
-###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
-###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
-###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
-###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
-###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
-###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
-###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
-###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
-###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
-##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
-###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
-###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
-###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
-###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
-###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
-###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
-###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
-###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
-###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
-###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
-###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
-##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
-###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
-###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
-###### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
-###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
-##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
-##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
-###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
-###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
-###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
-###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
-###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
-###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
-###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
-###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
-###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
-###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
-###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
-###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
-###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
-###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
-##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
-###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
-###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
-###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
-###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
-###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
-###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
-###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
-###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
-###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
-###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
-###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
-###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
-###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
-###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
-###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
-###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
-##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
-##### [Audit Other System Events](auditing/audit-other-system-events.md)
-###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
-###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
-###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
-###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
-###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
-###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
-###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
-###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
-###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
-###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
-###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
-###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
-###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
-###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
-###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
-###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
-###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
-###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
-###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
-###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
-###### [Event 6407: 1%.](auditing/event-6407.md)
-###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
-###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
-##### [Audit Security State Change](auditing/audit-security-state-change.md)
-###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
-###### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
-###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
-##### [Audit Security System Extension](auditing/audit-security-system-extension.md)
-###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
-###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
-###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
-###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
-###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
-##### [Audit System Integrity](auditing/audit-system-integrity.md)
-###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
-###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
-###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
-###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
-###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
-###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
-###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
-###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
-###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
-###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
-###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
-###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
-##### [Other Events](auditing/other-events.md)
-###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
-###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
-###### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
-###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
-###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
-##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
-
-
-
-
-
-### [Security policy settings](security-policy-settings/security-policy-settings.md)
-### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
-#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
-### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
-### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
-#### [Account Policies](security-policy-settings/account-policies.md)
-##### [Password Policy](security-policy-settings/password-policy.md)
-###### [Enforce password history](security-policy-settings/enforce-password-history.md)
-###### [Maximum password age](security-policy-settings/maximum-password-age.md)
-###### [Minimum password age](security-policy-settings/minimum-password-age.md)
-###### [Minimum password length](security-policy-settings/minimum-password-length.md)
-###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
-###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
-##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
-###### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
-###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
-###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
-##### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
-###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
-###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
-###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
-###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
-###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
-#### [Audit Policy](security-policy-settings/audit-policy.md)
-#### [Security Options](security-policy-settings/security-options.md)
-##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
-##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
-##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
-##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
-##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
-##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
-##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
-##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
-##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
-##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
-##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
-##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
-##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
-##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
-##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
-##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
-##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
-##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
-##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
-##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
-##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
-##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
-##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
-##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
-##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
-##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
-##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
-##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
-##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
-##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
-##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
-##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
-##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
-##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
-##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
-##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
-##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
-##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
-##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
-##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
-##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
-##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
-##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
-##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
-##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
-##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
-##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
-##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
-##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
-##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-#####  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
-##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
-##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
-##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
-##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
-##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
-##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
-##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
-##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
-##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
-##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
-##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
-##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
-##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
-##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
-##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
-##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
-##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
-##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
-##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
-##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
-##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
-##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
-##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
-##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
-##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
-##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
-##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
-##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
-##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
-##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
-##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
-##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
-##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
-##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
-##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
-##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
-##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
-#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
-#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
-##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
-##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
-##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
-##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
-##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
-##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
-##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
-##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
-##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
-##### [Change the system time](security-policy-settings/change-the-system-time.md)
-##### [Change the time zone](security-policy-settings/change-the-time-zone.md)
-##### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
-##### [Create a token object](security-policy-settings/create-a-token-object.md)
-##### [Create global objects](security-policy-settings/create-global-objects.md)
-##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
-##### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
-##### [Debug programs](security-policy-settings/debug-programs.md)
-##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
-##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
-##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
-##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
-##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
-##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
-##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
-##### [Generate security audits](security-policy-settings/generate-security-audits.md)
-##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
-##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
-##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
-##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
-##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
-##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
-##### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
-##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
-##### [Modify an object label](security-policy-settings/modify-an-object-label.md)
-##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
-##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
-##### [Profile single process](security-policy-settings/profile-single-process.md)
-##### [Profile system performance](security-policy-settings/profile-system-performance.md)
-##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
-##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
-##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
-##### [Shut down the system](security-policy-settings/shut-down-the-system.md)
-##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
-##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
-
-
-
-
-
-
-## [Windows security baselines](windows-security-baselines.md)
-## [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-## [Get support](get-support-for-security-baselines.md)
-
-## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
-
-## [Change history for Threat protection](change-history-for-threat-protection.md)

From c3f7e909487ef0e1df55e4b0174fe0fa52971f28 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 15:23:52 +0300
Subject: [PATCH 16/31] fix links

---
 windows/security/threat-protection/TOC.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 2340e23606..a14975455d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -15,8 +15,8 @@
 #### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-#### [Evaluate Windows Defender ATP](evaluate.md)
-##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Evaluate Windows Defender ATP](../../evaluate.md)
+##### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
 ##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 ##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
 ##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)

From 0f2a5707fec1b6e73ae8adb0e29ca16972c6b1e3 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 15:26:11 +0300
Subject: [PATCH 17/31] fix links

---
 windows/security/threat-protection/TOC.md | 1307 ++++++---------------
 1 file changed, 342 insertions(+), 965 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a14975455d..8fe3e22d50 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,974 +1,351 @@
-# [Threat protection](index.md)
-
-
-
-
-
-
-## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
-
-### [Get started](fake2.md)
-#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
-
-#### [Evaluate Windows Defender ATP](../../evaluate.md)
-##### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-##### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-
-
-
-### [Onboard and configure machines to Windows Defender ATP](onboard.md)
-#### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
-###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-
-
-
-
-####[Configure ASR](configure1.md)
-##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-
-
-
-
-
-
-#### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
-
-##### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-###### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-####### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-###### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-####### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-###### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-####### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-####### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-###### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
-
-
-
-
-
-#### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
-
-
-
-#### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-#####General
-###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-
-
-
-
-#####APIs
-###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-
-#####Rules
-###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
-
-#####Machine management
-###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
-
-##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
-
-
-
-
-### [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-#### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-
-#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-### [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-#### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-#### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
-
-
-#### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-
-##### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
-##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
-
-#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-
-##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
-
-##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-
-
-
-##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
-
-### [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
-
-
-
-### [Endpoint detection and response - Tomer B.](faketopic.md)
-####Alerts queue
-##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
-##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
-##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
-##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
-
-####Machines list
-##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-
-
-#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
-##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-
-##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-###### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-###### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-
-
-
-#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
-
-### [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
-
-
-###Security posture
-#### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-
-
-
-### [Management and APIs](management-apis.md)
-#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
-
-#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-#######Domain
-########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-
-
-
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-
-
-
-#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
-##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
-##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
-##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-
-#### [Reporting](reporting.md)
-##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
-
-#### [Permissions](permissions.md)
-##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
-
-
-
-### [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
-####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-###Troubleshoot Windows Defender ATP
-#### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
-
-####Troubleshoot sensor state - Ask Heike name of sensor
-##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-
-#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Other security features
-### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
-#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
-#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
-#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-#### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
-#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-#### [Device security](windows-defender-security-center\wdsc-device-security.md)
-#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-#### [Family options](windows-defender-security-center\wdsc-family-options.md)
-
-
-### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
-#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
-
-
-### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-
-### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-
-### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-
-### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-
-### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
-
-### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-
-### [Security auditing](auditing/security-auditing-overview.md)
-
-#### [Basic security audit policies](auditing/basic-security-audit-policies.md)
-##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
-##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
-##### [View the security event log](auditing/view-the-security-event-log.md)
-
-##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
-###### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
-###### [Audit account management](auditing/basic-audit-account-management.md)
-###### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
-###### [Audit logon events](auditing/basic-audit-logon-events.md)
-###### [Audit object access](auditing/basic-audit-object-access.md)
-###### [Audit policy change](auditing/basic-audit-policy-change.md)
-###### [Audit privilege use](auditing/basic-audit-privilege-use.md)
-###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
-###### [Audit system events](auditing/basic-audit-system-events.md)
-
-##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-
-###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
-####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
-####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
-####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
-####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
-####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
-####### [Monitor claim types](auditing/monitor-claim-types.md)
-
-###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
-####### [Audit Credential Validation](auditing/audit-credential-validation.md)
-####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
-####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
-####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
-####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
-###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
-####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
-####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
-####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
-###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
-####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
-####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
-####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
-###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
-###### [Audit Application Group Management](auditing/audit-application-group-management.md)
-###### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
-####### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
-####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
-####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
-###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
-####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
-####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
-####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
-####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
-####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
-###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
-####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
-###### [Audit Security Group Management](auditing/audit-security-group-management.md)
-####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
-####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
-####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
-####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
-####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
-####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
-####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
-###### [Audit User Account Management](auditing/audit-user-account-management.md)
-####### [Event 4720 S: A user account was created.](auditing/event-4720.md)
-####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
-####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
-####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
-####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
-####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
-####### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
-####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
-####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
-####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
-####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
-####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
-####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
-####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
-####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
-####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
-###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
-####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
-####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
-####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
-####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
-###### [Audit PNP Activity](auditing/audit-pnp-activity.md)
-####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
-####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
-####### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
-####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
-####### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
-####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
-####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
-###### [Audit Process Creation](auditing/audit-process-creation.md)
-####### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
-####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
-###### [Audit Process Termination](auditing/audit-process-termination.md)
-####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
-###### [Audit RPC Events](auditing/audit-rpc-events.md)
-####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
-###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
-####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
-####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
-####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
-####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
-####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
-####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
-####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
-####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
-###### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
-####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
-####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
-####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
-####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
-####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
-####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
-####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
-###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
-####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
-####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
-###### [Audit Account Lockout](auditing/audit-account-lockout.md)
-####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-###### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
-####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
-###### [Audit Group Membership](auditing/audit-group-membership.md)
-####### [Event 4627 S: Group membership information.](auditing/event-4627.md)
-###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
-###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
-###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
-###### [Audit Logoff](auditing/audit-logoff.md)
-####### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
-####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
-###### [Audit Logon](auditing/audit-logon.md)
-####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
-####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
-####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
-###### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
-###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
-####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
-####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
-####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
-####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
-####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
-####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
-####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
-####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
-####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
-####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
-###### [Audit Special Logon](auditing/audit-special-logon.md)
-####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
-####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
-###### [Audit Application Generated](auditing/audit-application-generated.md)
-###### [Audit Certification Services](auditing/audit-certification-services.md)
-###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
-####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
-###### [Audit File Share](auditing/audit-file-share.md)
-####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
-####### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
-####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
-####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
-####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
-###### [Audit File System](auditing/audit-file-system.md)
-####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
-####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-####### [Event 5051: A file was virtualized.](auditing/event-5051.md)
-####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
-####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
-####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
-####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
-####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
-####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
-####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
-####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
-####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
-####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
-###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
-####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
-####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
-###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
-####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
-###### [Audit Kernel Object](auditing/audit-kernel-object.md)
-####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
-####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
-####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
-####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
-####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
-####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
-####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
-####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
-####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
-####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
-####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
-####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
-####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
-###### [Audit Registry](auditing/audit-registry.md)
-####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
-####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
-####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Audit Removable Storage](auditing/audit-removable-storage.md)
-###### [Audit SAM](auditing/audit-sam.md)
-####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
-####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
-###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
-####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
-####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
-####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
-####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
-####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
-####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
-####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
-####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
-####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
-####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
-###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
-####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
-####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
-####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
-####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
-####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
-####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
-####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
-####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
-####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
-####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
-####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
-###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
-####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
-####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
-####### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
-####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
-####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
-###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
-###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
-####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
-####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
-####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
-####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
-####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
-####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
-####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
-####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
-####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
-####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
-####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
-####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
-####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
-####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
-###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
-####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
-####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
-####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
-####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
-####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
-####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
-####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
-####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
-####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
-####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
-####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
-####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
-####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
-####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
-####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
-####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
-###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
-####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
-####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
-####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
-###### [Audit Other System Events](auditing/audit-other-system-events.md)
-####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
-####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
-####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
-####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
-####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
-####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
-####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
-####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
-####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
-####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
-####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
-####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
-####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
-####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
-####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
-####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
-####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
-####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
-####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
-####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
-####### [Event 6407: 1%.](auditing/event-6407.md)
-####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
-####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
-###### [Audit Security State Change](auditing/audit-security-state-change.md)
-####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
-####### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
-####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
-###### [Audit Security System Extension](auditing/audit-security-system-extension.md)
-####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
-####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
-####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
-####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
-####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
-###### [Audit System Integrity](auditing/audit-system-integrity.md)
-####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
-####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
-####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
-####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
-####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
-####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
-####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
-####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
-####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
-####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
-####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
-####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
-###### [Other Events](auditing/other-events.md)
-####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
-####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
-####### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
-####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
-####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
-###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
  
-
-
-
-
-#### [Security policy settings](security-policy-settings/security-policy-settings.md)
-#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
-##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
-#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
-#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
-##### [Account Policies](security-policy-settings/account-policies.md)
-###### [Password Policy](security-policy-settings/password-policy.md)
-####### [Enforce password history](security-policy-settings/enforce-password-history.md)
-####### [Maximum password age](security-policy-settings/maximum-password-age.md)
-####### [Minimum password age](security-policy-settings/minimum-password-age.md)
-####### [Minimum password length](security-policy-settings/minimum-password-length.md)
-####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
-####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
-###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
-####### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
-####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
-####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
-###### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
-####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
-####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
-####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
-####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
-####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
-##### [Audit Policy](security-policy-settings/audit-policy.md)
-##### [Security Options](security-policy-settings/security-options.md)
-###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
-###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
-###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
-###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
-###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
-###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
-###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
-###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
-###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
-###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
-###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
-###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
-###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
-###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
-###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
-###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
-###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
-###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
-###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
-###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
-###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
-###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
-###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
-###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
-###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
-###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
-###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
-###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
-###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
-###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
-###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
-###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
-###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
-###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
-###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
-###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
-###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
-###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
-###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
-###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
-###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
-###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
-###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
-###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
-###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
-###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
-###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
-###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
-###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
-###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
-###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-######  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
-###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
-###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
-###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
-###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
-###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
-###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
-###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
-###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
-###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
-###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
-###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
-###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
-###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
-###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
-###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
-###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
-###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
-###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
-###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
-###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
-###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
-###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
-###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
-###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
-###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
-###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
-###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
-###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
-###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
-###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
-###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
-###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
-###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
-###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
-###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
-###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
-###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
-##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
-##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
-###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
-###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
-###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
-###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
-###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
-###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
-###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
-###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
-###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
-###### [Change the system time](security-policy-settings/change-the-system-time.md)
-###### [Change the time zone](security-policy-settings/change-the-time-zone.md)
-###### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
-###### [Create a token object](security-policy-settings/create-a-token-object.md)
-###### [Create global objects](security-policy-settings/create-global-objects.md)
-###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
-###### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
-###### [Debug programs](security-policy-settings/debug-programs.md)
-###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
-###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
-###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
-###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
-###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
-###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
-###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
-###### [Generate security audits](security-policy-settings/generate-security-audits.md)
-###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
-###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
-###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
-###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
-###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
-###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
-###### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
-###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
-###### [Modify an object label](security-policy-settings/modify-an-object-label.md)
-###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
-###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
-###### [Profile single process](security-policy-settings/profile-single-process.md)
-###### [Profile system performance](security-policy-settings/profile-system-performance.md)
-###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
-###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
-###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
-###### [Shut down the system](security-policy-settings/shut-down-the-system.md)
-###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
-###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
+## [Get started](fake2.md)
+### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+### [Preview features](preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+ 
+### [Evaluate Windows Defender ATP](threat-protection/evaluate.md)
+#### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+#### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+ 
+ 
+## [Onboard and configure machines to Windows Defender ATP](threat-protection/onboard.md)
+### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
+#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+ 
+ 
+###[Configure ASR](configure1.md)
+#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+ 
+ 
+### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+ 
+ 
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+ 
+ 
+#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
+#### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+ 
+ 
+ 
+### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+ 
+ 
+ 
+### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+####General
+##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+##### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
+##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+ 
+ 
+ 
+####APIs
+##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+ 
+####Rules
+##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+ 
+ 
+####Machine management
+##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+ 
+ 
+#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+ 
+ 
+## [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+ 
+ 
+### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+ 
+ 
+## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+ 
+ 
+### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+ 
+ 
+#### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+ 
+ 
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+ 
+ 
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+ 
+ 
+#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+ 
+ 
+#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+ 
+ 
+## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+#### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+#### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+#### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+ 
+ 
+## [Endpoint detection and response - Tomer B.](faketopic.md)
+###Alerts queue
+#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+ 
+ 
+###Machines list
+#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+ 
+ 
+### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+ 
+ 
+#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+##### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+##### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+##### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+ 
+ 
+### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+ 
+ 
+## [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+ 
+ 
+##Security posture
+### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+ 
+ 
+## [Management and APIs](management-apis.md)
+### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+ 
+### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+#####Actor
+###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#####Alerts
+###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain
+#######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+ 
+#####File
+###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
+ 
+#####IP
+###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#####Machines
+###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+ 
+ 
+#####User
+###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+ 
+ 
+### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+ 
+### [Reporting](reporting.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+ 
+### [Permissions](permissions.md)
+#### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+#### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+ 
+ 
+## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
+###  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+ 
+##Troubleshoot Windows Defender ATP
+### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+ 
+ 
+###Troubleshoot sensor state - Ask Heike name of sensor
+#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+#### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+#### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+ 
+### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
 
 
 
 
 
 
-### [Windows security baselines](windows-security-baselines.md)
-### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-### [Get support](get-support-for-security-baselines.md)
 
-### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 
-## [Change history for Threat protection](change-history-for-threat-protection.md)

From b60d740cad879efe7afc1947b307962f0cae4ec7 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 15:52:36 +0300
Subject: [PATCH 18/31] fix folder reference

---
 .../windows-defender-atp/TOC.md               | 175 +++++++++---------
 1 file changed, 83 insertions(+), 92 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index eb61137c27..339a14435e 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,5 +1,8 @@
+
+
 # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
+
 ## [Get started](fake2.md)
 ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
@@ -8,6 +11,7 @@
 ### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
+
 ### [Evaluate Windows Defender ATP](threat-protection\evaluate.md)
 #### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 #### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
@@ -17,44 +21,38 @@
 #### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
 #### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
 #### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-
-
-
+ 
+ 
 ## [Onboard and configure machines to Windows Defender ATP](onboard.md)
-### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
-##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-
-
+### [Onboard machines - need to revise this page](onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
+#### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+##### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 
 
 ###[Configure Attack surface reduction](configure1.md)
 #### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
 #### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
 #### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-
-
-
-
-
-
+ 
+ 
 ### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 #### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
 #### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
 ##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
-
+ 
+ 
 #### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
 ##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
 ###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
@@ -67,6 +65,7 @@
 ###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
 ###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 
+
 #### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
 ##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
@@ -87,49 +86,43 @@
 ##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
 
 
-
-
-
 ### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
 
 
-
-### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
 ####General
-##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-
-
-
-
+##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+##### [Enable and create Power BI reports using Windows Defender Security center data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
+##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+ 
+ 
 ####APIs
-##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
 
 ####Rules
-##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
 
 ####Machine management
-##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
-
-#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
+ 
+ 
+#### [Configure Windows Defender Security Center time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
 
 
-
-
-## [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-
-### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-
+## [Windows Defender Security Center](use-windows-defender-advanced-threat-protection.md)
+### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+### [View the Security operations dashboard - consdier moving to the relevant pillar](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+ 
+### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
 
 
 ## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
@@ -140,26 +133,27 @@
 
 ### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
 #### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-
+ 
 #### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
 #### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
 ##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 
 ### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-
+ 
 #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
 #### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
 ### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
 
+
 #### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
 #### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
 
 
-
 #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
 #### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
 #### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
 
+
 ## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
 ### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 #### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
@@ -172,7 +166,6 @@
 #### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
 
 
-
 ## [Endpoint detection and response - Tomer B.](faketopic.md)
 ###Alerts queue
 #### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
@@ -183,7 +176,7 @@
 #### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
 #### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 #### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
-
+ 
 ###Machines list
 #### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
 #### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
@@ -205,6 +198,7 @@
 ##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
 ##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 
+
 #### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
 ##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
 ##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
@@ -217,19 +211,17 @@
 ##### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
 
-
-### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
-
-## [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
 
+## [Automatic investigation and remediation - Benny](automated-investigations-windows-defender-advanced-threat-protection.md)
+ 
+ 
 ##Security posture
-### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-
+### [Secure posture - Evald](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
 
 ## [Management and APIs](management-apis.md)
@@ -241,6 +233,7 @@
 #### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
+
 ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
 #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
 #####Actor
@@ -260,6 +253,7 @@
 ####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
 ####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
+
 #####File
 ###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
 ###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
@@ -269,6 +263,7 @@
 ###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
 ###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
 
+
 #####IP
 ###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
@@ -296,7 +291,6 @@
 ###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
-
 #####User
 ###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
 ###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
@@ -304,8 +298,6 @@
 ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
 
-
-
 ### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 #### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
@@ -315,34 +307,33 @@
 #### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 
+
 ### [Reporting](reporting.md)
 #### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 
-### [Permissions](permissions.md)
-#### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-#### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
 
+### [Permissions](permissions.md)
+#### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
+#### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
 
 
 ## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
-###  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
-
-
-
+###  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
 
 
 ##Troubleshoot Windows Defender ATP
 ### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
 
+
 ###Troubleshoot sensor state - Ask Heike name of sensor
-#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-#### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-#### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-
-### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+#### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+#### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+ 
+### [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
 
 
 

From b5c42041b488c8e574f458e717794cec6042c7f8 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 16:35:02 +0300
Subject: [PATCH 19/31] add table in threat prot page

---
 windows/security/threat-protection/index.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index b589ac9a69..01cf2ddc25 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -32,5 +32,13 @@ In conjunction with being able to quickly respond to advanced attacks, Windows D
 Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
 
 
+Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation | Security posture | Advanced hunting | Management and APIs | Microsoft threat protection
+:---|:---|:---|:---|:---|:---|:---|:---
+[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview)<br><br> [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br> [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br> [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br> <br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reducation controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br> [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) [Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)| [Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br> [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)<br><br>| [Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)|[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)| [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>Scheduled queries <br><br> Scheduled queries (Github) <br><br> [Custom TI](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Onboarding](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection)<br><br> [Configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection)<br><br> [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[SIEM connectors](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Exposed APIs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection)<br><br>[RBAC](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<br><br>[Reportin and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)| [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)<br><br>O365 ATP<br><br>Azure ATP<br><br>Azure Security Center<br><br>Skype for Business<br><br>Cloud App Security
+
+
+
+
+
 
 

From 5347a12bbac65e42b514625290852d0539efde2f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 13:48:10 +0000
Subject: [PATCH 20/31] Updated threat-prot level TOC.md

---
 windows/security/threat-protection/TOC.md | 640 +++++++++++-----------
 1 file changed, 307 insertions(+), 333 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 8fe3e22d50..828689473e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,336 +1,310 @@
-# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
- 
-## [Get started](fake2.md)
-### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
- 
-### [Evaluate Windows Defender ATP](threat-protection/evaluate.md)
-#### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-#### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- 
- 
-## [Onboard and configure machines to Windows Defender ATP](threat-protection/onboard.md)
-### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
-##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- 
- 
-###[Configure ASR](configure1.md)
-#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
- 
- 
-### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
- 
- 
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- 
- 
-#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
- 
- 
- 
-### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
- 
- 
- 
-### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-####General
-##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
- 
- 
- 
-####APIs
-##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
- 
-####Rules
-##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
- 
- 
-####Machine management
-##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
- 
- 
-#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
- 
- 
-### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
- 
- 
-### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
- 
- 
-#### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
-#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
- 
- 
-### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
- 
- 
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
- 
- 
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
- 
- 
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
- 
- 
-## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-#### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-#### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-#### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-#### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-#### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-#### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-#### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
- 
- 
-## [Endpoint detection and response - Tomer B.](faketopic.md)
-###Alerts queue
-#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
- 
- 
-###Machines list
-#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
- 
- 
-### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
-#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
- 
- 
-#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
-##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-##### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-##### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-##### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
- 
- 
-### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
- 
- 
-##Security posture
-### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Management and APIs](management-apis.md)
-### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
- 
-### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-#######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
- 
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
- 
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
- 
- 
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
- 
- 
-### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
- 
-### [Reporting](reporting.md)
-#### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- 
-### [Permissions](permissions.md)
-#### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-#### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
-###  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
- 
-##Troubleshoot Windows Defender ATP
-### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
- 
- 
-###Troubleshoot sensor state - Ask Heike name of sensor
-#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-#### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-#### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
- 
-### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+# [Threat protection](index.md)
+
+## [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+
+### [Get started](fake2.md)
+#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+#### [Preview features](preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+
+#### [Evaluate Windows Defender ATP](threat-protection/evaluate.md)
+##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+##### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+
+### [Onboard and configure machines to Windows Defender ATP](threat-protection/onboard.md)
+#### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
+##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+####[Configure ASR](configure1.md)
+##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+
+#### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+##### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+###### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+####### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+###### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+####### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+###### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+####### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+####### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
+##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+ 
+#### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+
+#### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#####General
+###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
+###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
+###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+
+#####APIs
+###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+#####Rules
+###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
+#####Machine management
+###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+
+##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+
+### [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+ 
+#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+ #
+ #
+### [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+#### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+
+#### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+
+##### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
+##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+
+##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+
+##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+
+### [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+ 
+### [Endpoint detection and response - Tomer B.](faketopic.md)
+####Alerts queue
+##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+
+####Machines list
+##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+
+##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+###### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
+### [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+
+###Security posture
+#### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+### [Management and APIs](management-apis.md)
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+#### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain
+########  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
+ 
+######IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User
+####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+
+#### [Reporting](reporting.md)
+##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+#### [Permissions](permissions.md)
+##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+
+### [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
+####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+
+###Troubleshoot Windows Defender ATP
+#### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+ 
+####Troubleshoot sensor state - Ask Heike name of sensor
+##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+ 
+#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
 
 
 

From 7b19cff20ec5d1b667d66805bf833696b1511b18 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 16:54:04 +0300
Subject: [PATCH 21/31] revert toc

---
 windows/security/threat-protection/TOC.md | 1289 +++++++++++++++------
 1 file changed, 956 insertions(+), 333 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 8fe3e22d50..ee265a3955 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,336 +1,348 @@
-# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
- 
-## [Get started](fake2.md)
-### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
- 
-### [Evaluate Windows Defender ATP](threat-protection/evaluate.md)
-#### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-#### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- 
- 
-## [Onboard and configure machines to Windows Defender ATP](threat-protection/onboard.md)
-### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
-##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- 
- 
-###[Configure ASR](configure1.md)
-#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
- 
- 
-### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
- 
- 
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- 
- 
-#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
- 
- 
- 
-### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
- 
- 
- 
-### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-####General
-##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
- 
- 
- 
-####APIs
-##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
- 
-####Rules
-##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
- 
- 
-####Machine management
-##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
- 
- 
-#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
- 
- 
-### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
- 
- 
-### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
- 
- 
-#### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
-#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
- 
- 
-### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
- 
- 
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
- 
- 
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
- 
- 
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
- 
- 
-## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-#### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-#### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-#### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-#### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-#### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-#### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-#### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
- 
- 
-## [Endpoint detection and response - Tomer B.](faketopic.md)
-###Alerts queue
-#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
- 
- 
-###Machines list
-#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
- 
- 
-### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
-#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
- 
- 
-#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
-##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-##### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-##### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-##### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
- 
- 
-### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
- 
- 
-##Security posture
-### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Management and APIs](management-apis.md)
-### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
- 
-### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-#######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
- 
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
- 
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
- 
- 
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
- 
- 
-### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
- 
-### [Reporting](reporting.md)
-#### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- 
-### [Permissions](permissions.md)
-#### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-#### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
- 
- 
-## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
-###  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
- 
-##Troubleshoot Windows Defender ATP
-### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
- 
- 
-###Troubleshoot sensor state - Ask Heike name of sensor
-#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-#### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-#### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
- 
-### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+# [Threat protection](index.md)
+
+
+
+
+
+
+## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
+
+### [Get started](fake2.md)
+#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+
+#### [Evaluate Windows Defender ATP](evaluate.md)
+##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+##### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+##### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+##### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+
+
+
+### [Onboard and configure machines to Windows Defender ATP](onboard.md)
+#### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
+##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+
+
+
+####[Configure ASR](configure1.md)
+##### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+##### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+
+
+
+
+
+
+#### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+##### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+###### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+####### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+###### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+####### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+###### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+####### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+####### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
+##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+
+
+#### [Configure AutoIR - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+
+
+
+#### [Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#####General
+###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
+###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
+###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+
+
+
+
+#####APIs
+###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+#####Rules
+###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
+#####Machine management
+###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+
+##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+
+
+
+
+### [Windows Defender Security Center](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard - consdier moving to the relevant pillar](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+
+#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+### [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+#### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+
+
+#### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+
+##### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
+##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+
+##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+
+##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+
+##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+
+### [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+
+
+
+### [Endpoint detection and response - Tomer B.](faketopic.md)
+####Alerts queue
+##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
+
+####Machines list
+##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+
+#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+
+##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+###### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+###### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+
+
+#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
+
+### [Automatic investigation and remediation - Benny](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+
+
+###Security posture
+#### [Secure posture - Evald](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+
+
+### [Management and APIs](management-apis.md)
+#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain
+########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP
+####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+######User
+####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+
+#### [Reporting](reporting.md)
+##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+#### [Permissions](permissions.md)
+##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+
+
+
+### [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
+####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
 
 
 
@@ -349,3 +361,614 @@
 
 
 
+
+
+
+
+###Troubleshoot Windows Defender ATP
+#### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+####Troubleshoot sensor state - Ask Heike name of sensor
+##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+
+#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Other security features
+### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
+#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
+#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
+#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
+#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
+#### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
+#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+#### [Device security](windows-defender-security-center\wdsc-device-security.md)
+#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+#### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
+
+
+### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+
+
+### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+
+### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+### [Security auditing](auditing/security-auditing-overview.md)
+
+#### [Basic security audit policies](auditing/basic-security-audit-policies.md)
+##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
+##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
+##### [View the security event log](auditing/view-the-security-event-log.md)
+
+##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
+###### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
+###### [Audit account management](auditing/basic-audit-account-management.md)
+###### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
+###### [Audit logon events](auditing/basic-audit-logon-events.md)
+###### [Audit object access](auditing/basic-audit-object-access.md)
+###### [Audit policy change](auditing/basic-audit-policy-change.md)
+###### [Audit privilege use](auditing/basic-audit-privilege-use.md)
+###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
+###### [Audit system events](auditing/basic-audit-system-events.md)
+
+##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+
+###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
+####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
+####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
+####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
+####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
+####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
+####### [Monitor claim types](auditing/monitor-claim-types.md)
+
+###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
+####### [Audit Credential Validation](auditing/audit-credential-validation.md)
+####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
+####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
+####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
+####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
+###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
+####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
+####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
+####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
+###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
+####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
+####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
+####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
+###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
+###### [Audit Application Group Management](auditing/audit-application-group-management.md)
+###### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
+####### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
+####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
+####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
+###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
+####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
+####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
+####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
+####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
+####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
+###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
+####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
+###### [Audit Security Group Management](auditing/audit-security-group-management.md)
+####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
+####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
+####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
+####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
+####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
+####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
+###### [Audit User Account Management](auditing/audit-user-account-management.md)
+####### [Event 4720 S: A user account was created.](auditing/event-4720.md)
+####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
+####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
+####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
+####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
+####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
+####### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
+####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
+####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
+####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
+####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
+####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
+####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
+####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
+####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
+####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
+###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
+####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
+####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
+####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
+####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
+###### [Audit PNP Activity](auditing/audit-pnp-activity.md)
+####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
+####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
+####### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
+####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
+####### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
+####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
+####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
+###### [Audit Process Creation](auditing/audit-process-creation.md)
+####### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
+####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
+###### [Audit Process Termination](auditing/audit-process-termination.md)
+####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
+###### [Audit RPC Events](auditing/audit-rpc-events.md)
+####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
+####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
+####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
+####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
+####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
+####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
+####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
+####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
+####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
+###### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
+####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
+####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
+####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
+####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
+####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
+####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
+###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
+####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
+####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
+###### [Audit Account Lockout](auditing/audit-account-lockout.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+###### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
+####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
+###### [Audit Group Membership](auditing/audit-group-membership.md)
+####### [Event 4627 S: Group membership information.](auditing/event-4627.md)
+###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
+###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
+###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
+###### [Audit Logoff](auditing/audit-logoff.md)
+####### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
+####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
+###### [Audit Logon](auditing/audit-logon.md)
+####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
+####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
+###### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
+###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
+####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
+####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
+####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
+####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
+####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
+####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
+####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
+####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
+####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
+####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
+###### [Audit Special Logon](auditing/audit-special-logon.md)
+####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
+####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
+###### [Audit Application Generated](auditing/audit-application-generated.md)
+###### [Audit Certification Services](auditing/audit-certification-services.md)
+###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
+####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
+###### [Audit File Share](auditing/audit-file-share.md)
+####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
+####### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
+####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
+####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
+####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
+###### [Audit File System](auditing/audit-file-system.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+####### [Event 5051: A file was virtualized.](auditing/event-5051.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
+####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
+####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
+####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
+####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
+####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
+####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
+####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
+####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
+####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
+###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
+####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
+####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
+###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
+####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
+###### [Audit Kernel Object](auditing/audit-kernel-object.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
+####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
+####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
+####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
+####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
+####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
+####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
+####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
+####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
+####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
+####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
+####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
+####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
+###### [Audit Registry](auditing/audit-registry.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
+####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Removable Storage](auditing/audit-removable-storage.md)
+###### [Audit SAM](auditing/audit-sam.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
+####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
+###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
+####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
+####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
+####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
+####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
+####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
+####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
+####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
+####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
+####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
+###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
+####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
+####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
+####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
+####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
+####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
+####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
+####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
+####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
+####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
+####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
+####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
+###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
+####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
+####### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
+####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
+###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
+###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
+####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
+####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
+####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
+####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
+####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
+####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
+####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
+####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
+####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
+####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
+####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
+####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
+####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
+####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
+###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
+####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
+####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
+####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
+####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
+####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
+####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
+####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
+####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
+####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
+####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
+####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
+####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
+####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
+####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
+####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
+####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
+###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
+###### [Audit Other System Events](auditing/audit-other-system-events.md)
+####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
+####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
+####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
+####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
+####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
+####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
+####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
+####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
+####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
+####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
+####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
+####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
+####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
+####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
+####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
+####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
+####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
+####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
+####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
+####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
+####### [Event 6407: 1%.](auditing/event-6407.md)
+####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
+####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
+###### [Audit Security State Change](auditing/audit-security-state-change.md)
+####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
+####### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
+####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
+###### [Audit Security System Extension](auditing/audit-security-system-extension.md)
+####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
+####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
+####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
+####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
+####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
+###### [Audit System Integrity](auditing/audit-system-integrity.md)
+####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
+####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
+####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
+####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
+####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
+####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
+####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
+####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
+####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
+####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
+####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
+####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
+###### [Other Events](auditing/other-events.md)
+####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
+####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
+####### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
+####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
+####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
+###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+ 
+
+
+
+
+#### [Security policy settings](security-policy-settings/security-policy-settings.md)
+#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
+##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
+#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
+#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
+##### [Account Policies](security-policy-settings/account-policies.md)
+###### [Password Policy](security-policy-settings/password-policy.md)
+####### [Enforce password history](security-policy-settings/enforce-password-history.md)
+####### [Maximum password age](security-policy-settings/maximum-password-age.md)
+####### [Minimum password age](security-policy-settings/minimum-password-age.md)
+####### [Minimum password length](security-policy-settings/minimum-password-length.md)
+####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
+####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
+###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
+####### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
+####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
+####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
+###### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
+####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
+####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
+####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
+####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
+####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
+##### [Audit Policy](security-policy-settings/audit-policy.md)
+##### [Security Options](security-policy-settings/security-options.md)
+###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
+###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
+###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
+###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
+###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
+###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
+###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
+###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
+###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
+###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
+###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
+###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
+###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
+###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
+###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
+###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
+###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
+###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
+###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
+###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
+###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
+###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
+###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
+###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
+###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
+###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
+###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
+###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
+###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
+###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
+###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
+###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
+###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
+###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
+###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
+###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
+###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
+###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
+###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
+###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
+###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
+###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
+###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
+###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+######  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
+###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
+###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
+###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
+###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
+###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
+###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
+###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
+###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
+###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
+###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
+###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
+###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
+###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
+###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
+###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
+###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
+###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
+###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
+###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
+###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
+###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
+###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
+###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
+###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
+###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
+###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
+###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
+###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
+###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
+##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
+##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
+###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
+###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
+###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
+###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
+###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
+###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
+###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
+###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
+###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
+###### [Change the system time](security-policy-settings/change-the-system-time.md)
+###### [Change the time zone](security-policy-settings/change-the-time-zone.md)
+###### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
+###### [Create a token object](security-policy-settings/create-a-token-object.md)
+###### [Create global objects](security-policy-settings/create-global-objects.md)
+###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
+###### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
+###### [Debug programs](security-policy-settings/debug-programs.md)
+###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
+###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
+###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
+###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
+###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
+###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
+###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
+###### [Generate security audits](security-policy-settings/generate-security-audits.md)
+###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
+###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
+###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
+###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
+###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
+###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
+###### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
+###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
+###### [Modify an object label](security-policy-settings/modify-an-object-label.md)
+###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
+###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
+###### [Profile single process](security-policy-settings/profile-single-process.md)
+###### [Profile system performance](security-policy-settings/profile-system-performance.md)
+###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
+###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
+###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
+###### [Shut down the system](security-policy-settings/shut-down-the-system.md)
+###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
+###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
+
+
+
+
+
+
+### [Windows security baselines](windows-security-baselines.md)
+### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+### [Get support](get-support-for-security-baselines.md)
+
+### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
+
+## [Change history for Threat protection](change-history-for-threat-protection.md)

From e0eb897ab6cbd9f4466035eb51f2ef711bd8a941 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 16:54:22 +0300
Subject: [PATCH 22/31] space

---
 windows/security/threat-protection/TOC.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index ee265a3955..2d87ec852a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -4,7 +4,6 @@
 
 
 
-
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
 
 ### [Get started](fake2.md)

From 9da727de6eb8775273cada8b237d98dde235f73d Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 17:06:02 +0300
Subject: [PATCH 23/31] trying dot

---
 .../security/threat-protection/windows-defender-atp/TOC.md    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 339a14435e..d371717aa8 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,9 +1,7 @@
-
-
 # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
 
-## [Get started](fake2.md)
+## [Get started - latest one!!](./fake2.md)
 ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)

From 4e447fdb6226abcfd43e3eb0230e2b786ab3499a Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 17:44:01 +0300
Subject: [PATCH 24/31] UPDATE 1 AND 2

---
 windows/security/threat-protection/evaluate.md                | 1 +
 windows/security/threat-protection/index.md                   | 2 +-
 .../security/threat-protection/windows-defender-atp/TOC.md    | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/evaluate.md b/windows/security/threat-protection/evaluate.md
index e69de29bb2..078d53c466 100644
--- a/windows/security/threat-protection/evaluate.md
+++ b/windows/security/threat-protection/evaluate.md
@@ -0,0 +1 @@
+EVALUATE WDATP
\ No newline at end of file
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 01cf2ddc25..9b47229867 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -34,7 +34,7 @@ Windows Defender ATP provides a security posture capability to help you dynamica
 
 Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation | Security posture | Advanced hunting | Management and APIs | Microsoft threat protection
 :---|:---|:---|:---|:---|:---|:---|:---
-[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview)<br><br> [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br> [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br> [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br> <br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reducation controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br> [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) [Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)| [Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br> [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)<br><br>| [Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)|[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)| [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>Scheduled queries <br><br> Scheduled queries (Github) <br><br> [Custom TI](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Onboarding](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection)<br><br> [Configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection)<br><br> [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[SIEM connectors](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Exposed APIs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection)<br><br>[RBAC](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<br><br>[Reportin and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)| [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)<br><br>O365 ATP<br><br>Azure ATP<br><br>Azure Security Center<br><br>Skype for Business<br><br>Cloud App Security
+[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview)<br><br> [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br> [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br> [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br> <br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reducation controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br> [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) [Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)| [Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br> [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)<br><br>| [Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)|[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)| [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>Scheduled queries <br><br> Scheduled queries (Github) <br><br> [Custom TI](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Onboarding](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection)<br><br> [Configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection)<br><br> [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[SIEM connectors](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Exposed APIs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection)<br><br>[RBAC](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<br><br>[Reportin and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)| [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)<br><br>[O365 ATP](integration.md)<br><br>[Azure ATP](integration.md)<br><br>[Azure Security Center](integration.md)<br><br>[Skype for Business](integration.md)<br><br>[Microsoft Cloud App Security](integration.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index d371717aa8..4d600535ce 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -10,8 +10,8 @@
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
 
-### [Evaluate Windows Defender ATP](threat-protection\evaluate.md)
-#### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+### [Evaluate Windows Defender ATP - UPDATE1](../threat-protection/evaluate.md)
+#### [Evaluate Attack surface reduction - ASR controls - UPDATE 2](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
 #### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
 #### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)

From f08327944a4791c83dfb3836cf00834f06772a94 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 17:59:08 +0300
Subject: [PATCH 25/31] fixed links

---
 .../windows-defender-atp/TOC.md               | 154 +++++++++---------
 1 file changed, 77 insertions(+), 77 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 4d600535ce..d7f7e67812 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,7 +1,7 @@
 # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
 
-## [Get started - latest one!!](./fake2.md)
+## [Get started - FIXED!!](./fake2.md)
 ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
@@ -10,18 +10,18 @@
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
 
-### [Evaluate Windows Defender ATP - UPDATE1](../threat-protection/evaluate.md)
-#### [Evaluate Attack surface reduction - ASR controls - UPDATE 2](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-#### [Evaluate Windows Defender Exploit Guard-rewrite](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+### [Evaluate Windows Defender ATP](../threat-protection/evaluate.md)
+#### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+#### [Evaluate Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
+#### [Evaluate Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
+#### [Evaluate Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+#### [Evaluate Windows Defender Antivirus protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+#### [Evaluate Windows Defender Exploit Guard-rewrite](../windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](../windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md)
+#### [Testing scenarios using Windows Defender Application Guard in your business or organization](../windows-defender-application-guard//test-scenarios-wd-app-guard.md)
  
  
-## [Onboard and configure machines to Windows Defender ATP](onboard.md)
+## [Onboard and configure machines to Windows Defender ATP](./onboard.md)
 ### [Onboard machines - need to revise this page](onboard-configure-windows-defender-advanced-threat-protection.md)
 #### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
 #### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -39,52 +39,52 @@
 #### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 
 
-###[Configure Attack surface reduction](configure1.md)
-#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+###[Configure Attack surface reduction](./configure1.md)
+#### [System requirements for Windows Defender Application Guard](../windows-defender-application-guard//reqs-wd-app-guard.md)
+#### [Prepare and install Windows Defender Application Guard](../windows-defender-application-guard//install-wd-app-guard.md)
+#### [Configure the Group Policy settings for Windows Defender Application Guard](../windows-defender-application-guard//configure-wd-app-guard.md)
  
  
-### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+### [Configure Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+#### [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic scanning in Windows Defender AV](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
  
  
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](../windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md)
+##### [Manage updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 
 
-#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+#### [Customize, initiate, and review the results of scans and remediation](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](../windows-defender-antivirus/windows-defender-offline.md)
+#### [Restore quarantined files in Windows Defender AV](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+#### [Manage Windows Defender AV in your business](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage Windows Defender AV](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
 
 
-### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](configure3.md)
+### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](./configure3.md)
 
 
 ### [Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
@@ -123,45 +123,45 @@
 ### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
 
 
-## [Attack surface reduction - Chris, Amitai, Justin](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-### [Hardware based isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+## [Attack surface reduction - Chris, Amitai, Justin](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+### [Hardware based isolation](../windows-defender-application-guard//wd-app-guard-overview.md)
+#### [Frequently Asked Questions - Windows Defender Application Guard](../windows-defender-application-guard//faq-wd-app-guard.md)
+### [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
 
 
-### [Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+### [Exploit protection - Chris, Amitai, Justin](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](../windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md)
  
-#### [Enable Exploit protection - Chris, Amitai, Justin](windows-defender-exploit-guard\enable-exploit-protection.md)
-#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+#### [Enable Exploit protection - Chris, Amitai, Justin](../windows-defender-exploit-guard/enable-exploit-protection.md)
+#### [Customize Exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 
-### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+### [Network Protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
  
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Enable Network Protection](../windows-defender-exploit-guard/enable-network-protection.md)
+#### [Troubleshoot Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
+### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
 
 
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+#### [Enable Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
 
 
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+#### [Enable Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+#### [Customize Attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+#### [Troubleshoot Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
 
 
-## [Next gen protection - Andrea, Chris, Amitai](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-#### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-#### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-#### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-#### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-#### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-#### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-#### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+## [Next gen protection - Andrea, Chris, Amitai](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+#### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
+#### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+#### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
 
 
 ## [Endpoint detection and response - Tomer B.](faketopic.md)
@@ -320,7 +320,7 @@
 
 
 ##Troubleshoot Windows Defender ATP
-### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
 
 
 ###Troubleshoot sensor state - Ask Heike name of sensor

From 45af70e12accf92f6e19c43b14421ffbbb0fd9d7 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 18:20:39 +0300
Subject: [PATCH 26/31] fix links

---
 .../windows-defender-atp/TOC.md                  | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index d7f7e67812..5b3dda6b8a 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -10,7 +10,7 @@
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
 
-### [Evaluate Windows Defender ATP](../threat-protection/evaluate.md)
+### [Evaluate Windows Defender ATP](./evaluate.md)
 #### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
 #### [Evaluate Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
 #### [Evaluate Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
@@ -21,7 +21,7 @@
 #### [Testing scenarios using Windows Defender Application Guard in your business or organization](../windows-defender-application-guard//test-scenarios-wd-app-guard.md)
  
  
-## [Onboard and configure machines to Windows Defender ATP](./onboard.md)
+## [Onboard and configure machines to Windows Defender ATP](../threat-protection/onboard.md)
 ### [Onboard machines - need to revise this page](onboard-configure-windows-defender-advanced-threat-protection.md)
 #### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
 #### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -134,7 +134,7 @@
  
 #### [Enable Exploit protection - Chris, Amitai, Justin](../windows-defender-exploit-guard/enable-exploit-protection.md)
 #### [Customize Exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Import, export, and deploy Exploit protection configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 
 ### [Network Protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
  
@@ -164,7 +164,7 @@
 #### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
 
 
-## [Endpoint detection and response - Tomer B.](faketopic.md)
+## [Endpoint detection and response - Tomer B.](../threat-protection/faketopic.md)
 ###Alerts queue
 #### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
 #### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -222,7 +222,7 @@
 ### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
 
-## [Management and APIs](management-apis.md)
+## [Management and APIs](./management-apis.md)
 ### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
 #### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 #### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
@@ -306,16 +306,16 @@
 #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 
 
-### [Reporting](reporting.md)
+### [Reporting](../threat-protection/reporting.md)
 #### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 
 
-### [Permissions](permissions.md)
+### [Permissions](../threat-protection/permissions.md)
 #### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
 #### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
 
 
-## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](integration.md)
+## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](../threat-protection/integration.md)
 ###  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
 
 

From 4554a5d39cc523c28e15a3f1ec876427aa94884e Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 20:56:39 +0300
Subject: [PATCH 27/31] fix links

---
 .../windows-defender-atp/TOC.md                | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 5b3dda6b8a..3e31b3548e 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -10,7 +10,7 @@
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
 
-### [Evaluate Windows Defender ATP](./evaluate.md)
+### [Evaluate Windows Defender ATP](../evaluate.md)
 #### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
 #### [Evaluate Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
 #### [Evaluate Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
@@ -21,7 +21,7 @@
 #### [Testing scenarios using Windows Defender Application Guard in your business or organization](../windows-defender-application-guard//test-scenarios-wd-app-guard.md)
  
  
-## [Onboard and configure machines to Windows Defender ATP](../threat-protection/onboard.md)
+## [Onboard and configure machines to Windows Defender ATP](../onboard.md)
 ### [Onboard machines - need to revise this page](onboard-configure-windows-defender-advanced-threat-protection.md)
 #### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
 #### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -39,7 +39,7 @@
 #### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 
 
-###[Configure Attack surface reduction](./configure1.md)
+###[Configure Attack surface reduction](../configure1.md)
 #### [System requirements for Windows Defender Application Guard](../windows-defender-application-guard//reqs-wd-app-guard.md)
 #### [Prepare and install Windows Defender Application Guard](../windows-defender-application-guard//install-wd-app-guard.md)
 #### [Configure the Group Policy settings for Windows Defender Application Guard](../windows-defender-application-guard//configure-wd-app-guard.md)
@@ -84,7 +84,7 @@
 ##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
 
 
-### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](./configure3.md)
+### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](../configure3.md)
 
 
 ### [Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
@@ -164,7 +164,7 @@
 #### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
 
 
-## [Endpoint detection and response - Tomer B.](../threat-protection/faketopic.md)
+## [Endpoint detection and response - Tomer B.](../faketopic.md)
 ###Alerts queue
 #### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
 #### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -222,7 +222,7 @@
 ### [View the Threat analytics dashboard and take recommended mitigation actions - Evald](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
 
-## [Management and APIs](./management-apis.md)
+## [Management and APIs](../management-apis.md)
 ### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
 #### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 #### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
@@ -306,16 +306,16 @@
 #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 
 
-### [Reporting](../threat-protection/reporting.md)
+### [Reporting](../reporting.md)
 #### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 
 
-### [Permissions](../threat-protection/permissions.md)
+### [Permissions](../permissions.md)
 #### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
 #### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
 
 
-## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](../threat-protection/integration.md)
+## [Microsoft threat protection - Heike or Raviv or Alon - need to make new page - put anchors inside for each integ](../integration.md)
 ###  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
 
 

From 608f477240922a983c19fe229bd667c5285c5a6e Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 31 Jul 2018 21:12:28 +0300
Subject: [PATCH 28/31] minor

---
 .../security/threat-protection/windows-defender-atp/TOC.md  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 3e31b3548e..ebe07a26c7 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,7 +1,7 @@
 # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
 
-## [Get started - FIXED!!](./fake2.md)
+## [Get started](../fake2.md)
 ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
@@ -129,10 +129,10 @@
 ### [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
 
 
-### [Exploit protection - Chris, Amitai, Justin](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+### [Exploit protection - Chris, Amitai, Andrea](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
 #### [Comparison with Enhanced Mitigation Experience Toolkit](../windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md)
  
-#### [Enable Exploit protection - Chris, Amitai, Justin](../windows-defender-exploit-guard/enable-exploit-protection.md)
+#### [Enable Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
 #### [Customize Exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import, export, and deploy Exploit protection configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 

From 11694188c984eee73f8ddf914ca9069ac16d6a21 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 1 Aug 2018 09:36:38 +0300
Subject: [PATCH 29/31] remove wdatp table

---
 windows/security/index.yml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index c06e4aad88..838003bb6b 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -78,17 +78,3 @@ sections:
 
       title: Information protection
 
-- title: Windows Defender Advanced Threat Protection
-  items:
-  - type: markdown
-    text: "
-      Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
-      <br>&nbsp;<br>
-      <table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
-      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
-      <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
-      <td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
-      <td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
-      <td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
-      </tr>
-      </table>"
\ No newline at end of file

From a792b2f37ef67fa7ba5b49c4fdc217b1be24190a Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 2 Aug 2018 14:27:23 +0300
Subject: [PATCH 30/31] changes

---
 windows/security/threat-protection/TOC.md           |  4 ++--
 windows/security/threat-protection/integration.md   | 13 +++++++++++--
 .../security/threat-protection/management-apis.md   |  4 +++-
 windows/security/threat-protection/onboard.md       |  7 ++++++-
 .../threat-protection/windows-defender-atp/TOC.md   |  3 ---
 5 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 133098b7c0..320952520f 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,7 +6,7 @@
 
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
 
-### [Get started](fake2.md)
+###Get started
 #### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
@@ -14,7 +14,7 @@
 #### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-#### [Evaluate Windows Defender ATP](evaluate.md)
+####Evaluate Windows Defender ATP
 ##### [Evaluate Attack surface reduction - ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 ##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 ##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/integration.md b/windows/security/threat-protection/integration.md
index 6c22bd96e1..556bd4ad30 100644
--- a/windows/security/threat-protection/integration.md
+++ b/windows/security/threat-protection/integration.md
@@ -13,8 +13,17 @@ ms.localizationpriority: high
 ms.date: 07/01/2018
 ---
 
-# TO do: Heike, Alon, or Raviv
+# TO do: Tomer,  Alon, or Raviv
 
 These are all the products that WDATP integrates with then link to their documentation.
 
-Have links to the different configuration settings and put links there.
\ No newline at end of file
+Have links to the different configuration settings and put links there.
+
+
+Micorosft works better togegerthr
+
+when you integrate ms products you get btter protection
+
+here's the list of products that work well with WDATP.
+
+for each one, have a line or two.
\ No newline at end of file
diff --git a/windows/security/threat-protection/management-apis.md b/windows/security/threat-protection/management-apis.md
index 44ff4dfc98..14fe32f3c1 100644
--- a/windows/security/threat-protection/management-apis.md
+++ b/windows/security/threat-protection/management-apis.md
@@ -23,4 +23,6 @@ wdatp allows you to interact with the platform and other systems
 
 enable to manage and interact with the system
 
-APIs, SIEM connectors, Reporting, powerbi, etc
\ No newline at end of file
+APIs, SIEM connectors, Reporting, powerbi, etc
+
+## In this section 
\ No newline at end of file
diff --git a/windows/security/threat-protection/onboard.md b/windows/security/threat-protection/onboard.md
index f9ac29a1f8..fedfea7f4f 100644
--- a/windows/security/threat-protection/onboard.md
+++ b/windows/security/threat-protection/onboard.md
@@ -13,4 +13,9 @@ ms.localizationpriority: high
 ms.date: 07/01/2018
 ---
 
-# TO do: naama and joey to write this topic
\ No newline at end of file
+# Onboard and configure machines to Windows Defender ATP
+
+Onboard to the sensor, configure the indivual capabilities in Windows Defender ATP. 
+
+## In this section 
+table for configure to the parent nodes for each 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index ebe07a26c7..7ad06daaa2 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -84,9 +84,6 @@
 ##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
 
 
-### [Configure Automatic investigation and remediation  - needs new content, u can configure through the portal settings + link to the settings page](../configure3.md)
-
-
 ### [Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
 ####General
 ##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)

From 956da009f8250e1cb7a6ce5402711176d31f66cb Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 2 Aug 2018 15:13:37 +0000
Subject: [PATCH 31/31] Merged PR 10302: Fixing contextual ToC

---
 .../windows-defender-antivirus/{TOC.md => oldTOC.md}              | 0
 .../windows-defender-application-control/{TOC.md => oldTOC.md}    | 0
 .../windows-defender-exploit-guard/{TOC.md => oldTOC.md}          | 0
 .../windows-defender-security-center/{TOC.md => oldTOC.md}        | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename windows/security/threat-protection/windows-defender-antivirus/{TOC.md => oldTOC.md} (100%)
 rename windows/security/threat-protection/windows-defender-application-control/{TOC.md => oldTOC.md} (100%)
 rename windows/security/threat-protection/windows-defender-exploit-guard/{TOC.md => oldTOC.md} (100%)
 rename windows/security/threat-protection/windows-defender-security-center/{TOC.md => oldTOC.md} (100%)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/TOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/TOC.md
rename to windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/TOC.md
rename to windows/security/threat-protection/windows-defender-application-control/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/TOC.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-security-center/TOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/TOC.md
rename to windows/security/threat-protection/windows-defender-security-center/oldTOC.md