diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index e6293265fe..2842e1a326 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -15654,6 +15654,11 @@
"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
+ "redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md",
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index cb543ad1cd..ae26cfc95a 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: dulcemontemayor
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -20,12 +20,12 @@ ms.author: dansimp
- Windows 10
- Windows 10 Mobile
-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
-
+To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10).
->[!NOTE]
->This guide does not explain server deployment.
+> [!NOTE]
+> This guide does not explain server deployment.
## In this guide
@@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie
## Learn more
-- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
-
-
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 7e6ac508a9..0d113ddeb4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Enable cloud-delivered protection in Microsoft Defender Antivirus
-description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
+title: Turn on cloud-delivered protection in Microsoft Defender Antivirus
+description: Turn on cloud-delivered protection to benefit from fast and advanced protection features.
keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -9,16 +9,16 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
-# Enable cloud-delivered protection
+# Turn on cloud-delivered protection
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- Microsoft Defender Antivirus
@@ -29,55 +29,60 @@ ms.custom: nextgen
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets.
+
+ You can also turn it on or off in individual clients with the Windows Security app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
-There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details.
+For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md).
> [!NOTE]
-> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
-## Use Intune to enable cloud-delivered protection
+## Use Intune to turn on cloud-delivered protection
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All services > Intune**.
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. On the **Home** pane, select **Device configuration > Profiles**.
+3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
-7. In the **Submit samples consent** dropdown, select one of the following:
-
- - **Send safe samples automatically**
- - **Send all samples automatically**
-
- >[!NOTE]
- > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-
- > [!WARNING]
- > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-
-8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
-## Use Configuration Manager to enable cloud-delivered protection
+## Use Microsoft Endpoint Configuration Manager to turn on cloud-delivered protection
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+ 1. **High**: Applies a strong level of detection.
+ 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+ 3. **Zero tolerance**: Blocks all unknown executables.
+6. Select **Review + save**, then choose **Save**.
-## Use Group Policy to enable cloud-delivered protection
+For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+## Use Group Policy to turn on cloud-delivered protection
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. In the **Group Policy Management Editor**, go to **Computer configuration**.
3. Select **Administrative templates**.
4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
-5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
+5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
-6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
+6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
1. **Send safe samples** (1)
2. **Send all samples** (3)
@@ -88,18 +93,18 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
> [!WARNING]
> Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-7. Click **OK**.
+7. Select **OK**.
-## Use PowerShell cmdlets to enable cloud-delivered protection
+## Use PowerShell cmdlets to turn on cloud-delivered protection
-Use the following cmdlets to enable cloud-delivered protection:
+The following cmdlets can turn on cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
>[!NOTE]
> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
@@ -107,7 +112,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
>[!WARNING]
> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
+## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
@@ -116,33 +121,31 @@ MAPSReporting
SubmitSamplesConsent
```
-See the following for more information and allowed parameters:
+For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-## Enable cloud-delivered protection on individual clients with the Windows Security app
+## Turn on cloud-delivered protection on individual clients with the Windows Security app
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
->[!NOTE]
->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
+> [!NOTE]
+> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
-## Related topics
+## Related articles
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png
new file mode 100644
index 0000000000..5a8def8136
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index 04914ca837..6b709df330 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
---
@@ -20,49 +20,55 @@ manager: dansimp
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-
## Quick scan versus full scan
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-> [!IMPORTANT]
-> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans.
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
+> [!NOTE]
+> By default, quick scans run on mounted removable devices, such as USB drives.
-## Use Configuration Manager to run a scan
+## Use Microsoft Endpoint Configuration Manager to run a scan
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
+4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+[  ](images/mem-antivirus-scan-on-demand.png#lightbox)
+
+> [!TIP]
+> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
## Use the mpcmdrun.exe command-line utility to run a scan
Use the following `-scan` parameter:
-```DOS
+```console
mpcmdrun.exe -scan -scantype 1
```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
## Use Microsoft Intune to run a scan
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
+3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
## Use the Windows Security app to run a scan
@@ -75,15 +81,14 @@ Use the following cmdlet:
```PowerShell
Start-MpScan
```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
## Use Windows Management Instruction (WMI) to run a scan
-Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
+For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index b3a31baf6d..27c2c2db47 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -27,7 +27,7 @@ ms.custom: asr
## Is attack surface reduction (ASR) part of Windows?
-ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
+ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
## Do I need to have an enterprise license to run ASR rules?
@@ -77,7 +77,7 @@ Keep the rule in audit mode for about 30 days to get a good baseline for how the
## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
-In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
+In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
@@ -127,7 +127,7 @@ Because many legitimate processes throughout a typical day will be calling on ls
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
-## Related topics
+## See also
* [Attack surface reduction overview](attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index ded3b76626..37a6dacbe8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
deleted file mode 100644
index b86fec795a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ /dev/null
@@ -1,165 +0,0 @@
----
-title: Enable Microsoft Defender for Endpoint Insider Device
-description: Install and use Microsoft Defender for Endpoint (Mac).
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Enable Microsoft Defender for Endpoint Insider Device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
-
-> [!IMPORTANT]
-> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
-
-## Enable the Insider program with Jamf
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
- ```XML
-
-
-
-
- edr
-
- earlyPreview
-
-
-
-
- ```
-
-1. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
-
-1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier.
-
- > [!WARNING]
- > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
-
-## Enable the Insider program with Intune
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
- ```XML
-
-
-
-
- PayloadUUID
- C4E6A782-0C8D-44AB-A025-EB893987A295
- PayloadType
- Configuration
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP settings
- PayloadDescription
- Microsoft Defender ATP configuration settings
- PayloadVersion
- 1
- PayloadEnabled
-
- PayloadRemovalDisallowed
-
- PayloadScope
- System
- PayloadContent
-
-
- PayloadUUID
- 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
- PayloadType
- com.microsoft.wdav
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP configuration settings
- PayloadDescription
-
- PayloadVersion
- 1
- PayloadEnabled
-
- edr
-
- earlyPreview
-
-
-
-
-
-
- ```
-
-1. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
-
-1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-
-1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
-
-1. Enter `com.microsoft.wdav` as the custom configuration profile name.
-
-1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1.
-
-1. Select **OK**.
-
-1. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-
- > [!WARNING]
- > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
-
-## Enable the Insider program manually on a single device
-
-In terminal, run:
-
-```bash
- mdatp --edr --early-preview true
-```
-
-For versions earlier than 100.78.0, run:
-
-```bash
- mdatp --edr --earlyPreview true
-```
-
-## Troubleshooting
-
-### Verify you are running the correct version
-
-To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-
-To verify you are running the correct version, run `mdatp --health` on the device.
-
-* The required version is 100.72.15 or later.
-* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
-* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
-* If you are not using Office for Mac, download and run the AutoUpdate tool.
-
-### A device still does not appear on Microsoft Defender Security Center
-
-After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
-
-* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
-
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index 137fc569cc..55bdffa21c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -97,8 +97,6 @@ Content-type: application/json
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-18T08:02:54Z",
"lastSeen": "2020-01-06T08:01:48Z",
- "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
- "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
"logonTypes": "Interactive",
"logOnMachinesCount": 8,
"isDomainAdmin": true,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png
new file mode 100644
index 0000000000..f62d8f66b6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png
new file mode 100644
index 0000000000..c4ae7c8318
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png
new file mode 100644
index 0000000000..3227f3eb0c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png
new file mode 100644
index 0000000000..31e2ed052f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png
new file mode 100644
index 0000000000..ebb2c93951
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png
new file mode 100644
index 0000000000..770141ad54
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png
new file mode 100644
index 0000000000..8532d279bc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png
new file mode 100644
index 0000000000..aa59d18577
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png
new file mode 100644
index 0000000000..92dd636c71
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png
new file mode 100644
index 0000000000..64f731a465
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png
new file mode 100644
index 0000000000..64cfbd439f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png
new file mode 100644
index 0000000000..4cc8e84eeb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png
deleted file mode 100644
index 15d64d5abd..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png
new file mode 100644
index 0000000000..be0593bb84
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png
new file mode 100644
index 0000000000..748b97d6bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png
new file mode 100644
index 0000000000..9147d3e4a8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png
new file mode 100644
index 0000000000..29c6618677
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png
new file mode 100644
index 0000000000..539ed966bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png
new file mode 100644
index 0000000000..d4f3f506e5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
index e44fe3a67f..ad2a51ab8f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -24,26 +24,17 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+> [!NOTE]
+> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+## Configure custom indicators
-## Configure custom indicators
-Defender for Endpoint for iOS enables admins to configure custom indicators on
-iOS devices as well. Refer to [Manage
-indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-on how to configure custom indicators
+Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators.
+
+> [!NOTE]
+> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
## Web Protection
-By default, Defender for Endpoint for iOS includes and enables the web
-protection feature. [Web
-protection](web-protection-overview.md) helps
-to secure devices against web threats and protect users from phishing attacks.
->[!NOTE]
->Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
index 46b7669ddf..63eee7a042 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -24,38 +24,33 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-The public preview of Defender for Endpoint for iOS will offer protection
-against phishing and unsafe network connections from websites, emails, and apps.
-All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center. The portal gives security teams a centralized view of threats on
+**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
iOS devices along with other platforms.
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+
## Pre-requisites
-
**For End Users**
-- Defender for Endpoint license assigned to the end user(s) of the app. Refer
- [Assign licenses to
- users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
- for instructions on how to assign licenses.
+- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
+
+- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
+ - Intune Company Portal app can be downloaded from [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+
+- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
+
**For Administrators**
- Access to the Microsoft Defender Security Center portal
+
+ > [!NOTE]
+ > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
- Access to [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
- to enrolled user groups in your organization
+ center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization
**System Requirements**
@@ -64,6 +59,14 @@ iOS devices along with other platforms.
- Device is enrolled with Intune Company Portal
[app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
+> [!NOTE]
+> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+
+## Installation instructions
+
+Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
+For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
+
## Resources
- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 873df4353b..87dd24a90d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -92,6 +92,10 @@ If you experience any installation failures, refer to [Troubleshooting installat
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+- Audit framework (`auditd`) must be enabled.
+ >[!NOTE]
+ > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key.
+
### Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 44dd5225e9..1e18c177a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -39,7 +39,7 @@ This topic describes how to install, configure, update, and use Defender for End
> [!TIP]
> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**.
-To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. See [Enable Microsoft Defender for Endpoint Insider Device](endpoint-detection-response-mac-preview.md).
+To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device.
## How to install Microsoft Defender for Endpoint for Mac
diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
index 928c6f6e42..23dd0567e1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
@@ -36,7 +36,7 @@ have committed to building security solutions not just *for* Microsoft, but also
heterogenous environments. We're listening to customer feedback and partnering
closely with our customers to build solutions that meet their needs.
-With Defender for Endpoint, customers benefit from a unified view of all
+With Microsoft Defender for Endpoint, customers benefit from a unified view of all
threats and alerts in the Microsoft Defender Security Center, across Windows and
non-Windows platforms, enabling them to get a full picture of what's happening
in their environment, which empowers them to more quickly assess and respond to
@@ -44,7 +44,7 @@ threats.
## Microsoft Defender for Endpoint for Mac
-Microsoft Defender for Endpoint for Mac offers AV and EDR capabilities for the three
+Microsoft Defender for Endpoint for Mac offers antivirus and endpoint detection and response (EDR) capabilities for the three
latest released versions of macOS. Customers can deploy and manage the solution
through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
applications on macOS, Microsoft Auto Update is used to manage Microsoft
@@ -96,15 +96,15 @@ devices. Microsoft Defender for Endpoint is also available for purchase from a C
Solution Provider (CSP).
Customers can obtain Microsoft Defender for Endpoint for Mac through a standalone
-MDefender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
+Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
Security.
-Recently announced capabilities of Microsoft Defender for Endpoint for Android and soon
-iOS are included in the above mentioned offers as part of the five qualified
+Recently announced capabilities of Microsoft Defender for Endpoint for Android and iOS
+are included in the above mentioned offers as part of the five qualified
devices for eligible licensed users.
- Defender for Endpoint for Linux is available through the Defender for Endpoint
-for Server SKU that is available for both commercial and education customers.
+Defender for Endpoint on Linux is available through the Defender for Endpoint
+Server SKU that is available for both commercial and education customers.
Please contact your account team or CSP for pricing and additional eligibility
requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md
index fe74fafa7c..3af172dba7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md
@@ -29,65 +29,112 @@ ms.topic: conceptual
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception.
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list.
+When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+## Permissions
+
+Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
+
+
## Create an exception
-1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md).
+Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form.
-2. Select a security recommendation you would like to create an exception for, and then **Exception options**.
-
+
-3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+### Exception by device group
- The following list details the justifications behind the exception options:
+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
- - **Third party control** - A third party product or software already addresses this recommendation
- - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
- - **Alternate mitigation** - An internal tool already addresses this recommendation
- - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
- - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
- - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
-4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+#### Filtered views
-## View your exceptions
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
-When you file for an exception from the security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md).
+This is the button to filter by device group on any of the threat and vulnerability management pages:
-The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
+
-
+Exception view with filtered device groups:
-### Exception actions and statuses
+
-Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**.
+#### Large number of device groups
-The following statuses will be a part of an exception:
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
-- **Canceled** - The exception has been canceled and is no longer in effect
-- **Expired** - The exception that you've filed is no longer in effect
-- **In effect** - The exception that you've filed is in progress
+
-### Exception impact on scores
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
-Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner:
+
-- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores.
-- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
-- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made.
+### Global exceptions
-The exception impact shows on both the Security recommendations page column and in the flyout pane.
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
-
+
-### View exceptions in other places
+Some things to keep in mind:
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
-
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+The following list details the justifications behind the exception options:
+
+- **Third party control** - A third party product or software already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Alternate mitigation** - An internal tool already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
+## View all exceptions
+
+Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status.
+
+ Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception.
+
+
+
+
+
+## How to cancel an exception
+
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. To cancel the exception for all device groups, select the **Cancel exception** button. You can also cancel the exception for a specific device group.
+
+### Cancel the exception for a specific device group
+
+Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.
+
+
+
+
+### Cancel a global exception
+
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
+
+
+
+## View impact after exceptions are applied
+
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 3a67244b9e..032da734d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -104,6 +104,144 @@ From the flyout, you can choose any of the following options:
### Investigate changes in device exposure or impact
+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+
+1. Select the recommendation and **Open software page**
+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
+3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
+
+## Request remediation
+
+The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+### Enable Microsoft Intune connection
+
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+### Remediation request steps
+
+1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
+
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.
+
+## File for exception
+
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. Only users with “exceptions handling” permissions can add exception. [Learn more about RBAC roles](user-roles.md). If your organization has device groups, you will now be able to scope the exception to specific device groups.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+### How to create an exception
+
+Select a security recommendation you would like create an exception for, and then select **Exception options**.
+
+
+
+Choose the scope and justification, set a date for the exception duration, and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab.
+
+### Exception scope
+
+Exceptions can either be created for selected device groups, or for all device groups past and present.
+
+#### Exception by device group
+
+Apply the exception to all device groups or choose specific device groups. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
+
+
+
+##### Filtered
+
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
+
+Button to filter by device group on any of the threat and vulnerability management pages:
+
+
+
+Exception view with filtered device groups:
+
+
+
+##### Large number of device groups
+
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
+
+
+
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
+
+
+
+#### Global exceptions
+
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
+
+
+
+Some things to keep in mind:
+
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
+
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+The following list details the justifications behind the exception options:
+
+- **Third party control** - A third party product or software already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Alternate mitigation** - An internal tool already addresses this recommendation
+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
+### View all exceptions
+
+Navigate to the **Exceptions** tab in the **Remediation** page.
+
+
+
+Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can Export. You can also view the related recommendation or cancel the exception.
+
+### How to cancel an exception
+
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception.
+
+#### Cancel the exception for a specific device group
+
+If the exception is per device group, then you will need to select the specific device group to cancel the exception for it.
+
+
+
+A flyout will appear for the device group, and you can select **Cancel exception**.
+
+#### Cancel a global exception
+
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
+
+
+
+### View impact after exceptions are applied
+
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+
If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.
1. Select the recommendation and **Open software page**
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 16214a5f59..637aa964d9 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -15,13 +15,10 @@ ms.reviewer:
# Windows Sandbox configuration
-Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
+Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension.
-Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
+A configuration file enables the user to control the following aspects of Windows Sandbox:
-**C:\Temp> MyConfigFile.wsb**
-
- A configuration file enables the user to control the following aspects of Windows Sandbox:
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
@@ -33,13 +30,39 @@ Windows Sandbox configuration files are formatted as XML and are associated with
- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
-**Keywords, values, and limits**
+## Creating a configuration file
-**vGPU**: Enables or disables GPU sharing.
+To create a simple configuration file:
+
+1. Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.)
+2. Insert the following lines:
+
+ ```XML
+
+
+ ```
+
+3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below.
+4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. `"My config file.wsb"`.
+
+## Using a configuration file
+
+To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
+
+```batch
+C:\Temp> MyConfigFile.wsb
+```
+
+## Keywords, values, and limits
+
+### vGPU
+
+Enables or disables GPU sharing.
`value`
Supported values:
+
- *Enable*: Enables vGPU support in the sandbox.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
@@ -47,7 +70,9 @@ Supported values:
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
-**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
+### Networking
+
+Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
`value`
@@ -58,7 +83,9 @@ Supported values:
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
-**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
+### Mapped folders
+
+An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
```xml
@@ -83,7 +110,9 @@ Supported values:
> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
-**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
+### Logon command
+
+Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
```xml
@@ -96,7 +125,9 @@ Supported values:
> [!NOTE]
> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
-**Audio input**: Enables or disables audio input to the sandbox.
+### Audio input
+
+Enables or disables audio input to the sandbox.
`value`
@@ -108,7 +139,9 @@ Supported values:
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
-**Video input**: Enables or disables video input to the sandbox.
+### Video input
+
+Enables or disables video input to the sandbox.
`value`
@@ -120,7 +153,9 @@ Supported values:
> [!NOTE]
> There may be security implications of exposing host video input to the container.
-**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+### Protected client
+
+Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
`value`
@@ -132,7 +167,9 @@ Supported values:
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
-**Printer redirection**: Enables or disables printer sharing from the host into the sandbox.
+### Printer redirection
+
+Enables or disables printer sharing from the host into the sandbox.
`value`
@@ -141,7 +178,9 @@ Supported values:
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
-**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox.
+### Clipboard redirection
+
+Enables or disables sharing of the host clipboard with the sandbox.
`value`
@@ -149,16 +188,18 @@ Supported values:
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
-**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
+### Memory in MB
+
+Specifies the amount of memory that the sandbox can use in megabytes (MB).
`value`
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
-***Example 1***
+## Example 1
The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
-*Downloads.wsb*
+### Downloads.wsb
```xml
@@ -177,7 +218,7 @@ The following config file can be used to easily test downloaded files inside the
```
-***Example 2***
+## Example 2
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
@@ -185,9 +226,9 @@ Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSC
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
-*VSCodeInstall.cmd*
+### VSCodeInstall.cmd
-```console
+```batch
REM Download Visual Studio Code
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
@@ -195,7 +236,7 @@ REM Install and run Visual Studio Code
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
```
-*VSCode.wsb*
+### VSCode.wsb
```xml