From 67c9f1f29aa99e23a668830ba1248b97b0ea155f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:17:36 -0800
Subject: [PATCH 01/12] Update enable-exploit-protection.md

---
 .../enable-exploit-protection.md              | 27 ++++++++++---------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 0f325b3497..5d3a707826 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
-ms.date: 05/09/2019
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,20 +23,18 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
 
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
-You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-
 You can enable each mitigation separately by using any of these methods:
 
-* [Windows Security app](#windows-security-app)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [Windows Security app](#windows-security-app)
+- [Microsoft Intune](#intune)
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
 They are configured by default in Windows 10.
 
@@ -45,16 +43,19 @@ Some mitigations have additional options.
 
 You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
 
+You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+
 ## Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
+3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
+        
 
     1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
         * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
         * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 

From 2d62fec8182f51e0d580d8055f944bc094e3b55e Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Wed, 8 Jan 2020 15:24:34 -0800
Subject: [PATCH 02/12] Updates to Defender/ThreatSeverityDefaultAction

---
 .../new-in-windows-mdm-enrollment-management.md    |  7 +++++++
 .../client-management/mdm/policy-csp-defender.md   | 14 +++++++-------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 77441ceba1..b1c7501096 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
   - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 
 - **Change history in MDM documentation**
+    - [January 2020](#january-2020)
     - [November 2019](#november-2019)
     - [October 2019](#october-2019)
     - [September 2019](#september-2019)
@@ -1935,6 +1936,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 
 ## Change history in MDM documentation
 
+### January 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
+
+
 ### November 2019
 
 |New or updated topic | Description|
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 09ea8790ad..c19a6e5c4a 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -3079,12 +3079,12 @@ The following list shows the supported values for threat severity levels:
 
 The following list shows the supported values for possible actions:
 
--   1 – Clean
--   2 – Quarantine
--   3 – Remove
--   6 – Allow
--   8 – User defined
--   10 – Block
+-   1 – Clean. Service tries to recover files and try to disinfect.
+-   2 – Quarantine. Moves files to quarantine.
+-   3 – Remove. Removes files from system.
+-   6 – Allow. Allows file/does none of the above actions.
+-   8 – User defined. Requires user to make a decision on which action to take.
+-   10 – Block. Blocks file execution.
 
 <!--/Description-->
 <!--ADMXMapped-->

From df9a6bf6c49aaafd6ba886619d17d1a6da135377 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:27:33 -0800
Subject: [PATCH 03/12] Update enable-exploit-protection.md

---
 .../enable-exploit-protection.md              | 73 ++++++++-----------
 1 file changed, 32 insertions(+), 41 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 5d3a707826..26b16a6530 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -52,21 +52,19 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
 
 3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
-        
-
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
 
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
-    * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
+    - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
 7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
@@ -79,19 +77,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
 
-**Example 1**
+### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
 
-Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-
-Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
+Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 
-**Example 2**
+### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
 
-Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
 
 Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
@@ -102,28 +96,27 @@ CFG will be enabled for *miles.exe*.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
-
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+2. Click **Device configuration** > **Profiles** > **Create profile**.
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
    ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
    ![Enable network protection in Intune](../images/enable-ep-intune.png)
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Click **OK** to save each open blade and click **Create**.
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -132,21 +125,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+2. Click **Home** > **Create Exploit Guard Policy**.
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+4. Browse to the location of the exploit protection XML file and click **Next**.
+5. Review the settings and click **Next** to create the policy.
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-
-1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell
 

From 20076482964245337ae0355db6de40724814d0a2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:29:11 -0800
Subject: [PATCH 04/12] Update enable-exploit-protection.md

---
 .../microsoft-defender-atp/enable-exploit-protection.md   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 26b16a6530..73d6b7ed23 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -25,6 +25,9 @@ manager: dansimp
 
 [Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
 
+> [!IMPORTANT]
+> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
+
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
 You can enable each mitigation separately by using any of these methods:
@@ -36,10 +39,7 @@ You can enable each mitigation separately by using any of these methods:
 - [Group Policy](#group-policy)
 - [PowerShell](#powershell)
 
-They are configured by default in Windows 10.
-
-You can set each mitigation to on, off, or to its default value.
-Some mitigations have additional options.
+Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
 
 You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
 

From 37eb098cfc99a6e3f07e4b65e8b21a9cb9156edf Mon Sep 17 00:00:00 2001
From: Kelly Baker <v-kbaker@microsoft.com>
Date: Wed, 8 Jan 2020 15:30:18 -0800
Subject: [PATCH 05/12] Edit pass: VAMT known issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@greg-lindsay

Please review the copy edit to these articles, address the following comments, and let me know if I’ve changed the technical meaning anywhere. This is for Azure DevOps work request 3851189.

Comments:

 Consider whether it would be helpful to add a mention of the workaround to the metadata description for discoverability.

Thanks!
Kelly
---
 .../volume-activation/vamt-known-issues.md    | 34 ++++++++-----------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 8022121cb3..8e95704c1b 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -20,50 +20,44 @@ ms.custom:
 
 # VAMT known issues
 
-The following list and the section that follows contain the current known issues regarding the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
+The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
 
 - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
-- When opening a Computer Information List (CIL file) that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
-- The remaining activation count can only be retrieved for MAKs.
+- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. The user must update the product status again to obtain the edition information.
+- The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
 
-## Can't add CSVLKs for Windows 10 activation to VAMT 3.1
+## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
 
-When you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message:
-
-> The specified product key is invalid, or is unsupported by this version of VAMT. An update to support additional products may be available online.
+Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message.
 
 ![VAMT error message](./images/vamt-known-issue-message.png)
 
-This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key.
+This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
 
-### Workaround
+### Method 1
 
-To work around this issue, use one of the following methods.
+Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
 
-**Method 1**
+### Method 2
 
-Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command-line tool to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
-
-**Method 2**
-
-On the KMS host computer, follow these steps:
+On the KMS host computer, perform the following steps:
 
 1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
 
-1. In Windows Explorer, right-click **485392_intl_x64_zip**, and then extract the hotfix to **C:\KB3058168**.
+1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
 
-1. To extract the contents of the update, open a Command Prompt window and run the following command:
+1. To extract the contents of the update, run the following command.
 
    ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
    ```
 
-1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
+1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command.
 
    ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
    ```
 
-1. In the "C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716\" folder, copy the **pkeyconfig-csvlk.xrm-ms** file. Paste this file to the "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig" folder.
+1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
 
 1. Restart VAMT.

From 8414a18bb79f3cf889b5c88e33498f73d6ea0cf2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:30:34 -0800
Subject: [PATCH 06/12] Update enable-exploit-protection.md

---
 .../microsoft-defender-atp/enable-exploit-protection.md       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 73d6b7ed23..1e00cd20dd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -10,8 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp

From 7e395b4bbb522c1539b57dc1a1c12cab86ef71f3 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:37:36 -0800
Subject: [PATCH 07/12] Update enable-exploit-protection.md

---
 .../enable-exploit-protection.md                     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 1e00cd20dd..6c243891bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -57,7 +57,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
         - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
         - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
 
@@ -66,7 +66,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
     - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
     - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
-7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 
@@ -79,15 +79,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
 
 ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
 
-Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
+Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 
 ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
 
-Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
 
-Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
+Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
 The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
 CFG will be enabled for *miles.exe*.
@@ -116,7 +116,7 @@ CFG will be enabled for *miles.exe*.
 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
    ![Enable network protection in Intune](../images/enable-ep-intune.png)
 6. Click **OK** to save each open blade and click **Create**.
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+7. Click the profile. Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 

From b80f8a82bb88e5851adb6c78abc94cda0d182872 Mon Sep 17 00:00:00 2001
From: Kelly Baker <v-kbaker@microsoft.com>
Date: Wed, 8 Jan 2020 15:37:44 -0800
Subject: [PATCH 08/12] Update vamt-known-issues.md

---
 windows/deployment/volume-activation/vamt-known-issues.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 8e95704c1b..2259c02d2f 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -23,12 +23,12 @@ ms.custom:
 The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
 
 - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
-- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. The user must update the product status again to obtain the edition information.
+- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
 - The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
 
 ## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
 
-Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message.
+Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
 
 ![VAMT error message](./images/vamt-known-issue-message.png)
 
@@ -46,13 +46,13 @@ On the KMS host computer, perform the following steps:
 
 1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
 
-1. To extract the contents of the update, run the following command.
+1. To extract the contents of the update, run the following command:
 
    ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
    ```
 
-1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command.
+1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
 
    ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168

From 008df50151f6260e41b29d0b7f89398c71196226 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:45:16 -0800
Subject: [PATCH 09/12] Update enable-exploit-protection.md

---
 .../microsoft-defender-atp/enable-exploit-protection.md      | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 6c243891bb..1820384542 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -89,8 +89,7 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option
 
 Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
-CFG will be enabled for *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -116,7 +115,7 @@ CFG will be enabled for *miles.exe*.
 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
    ![Enable network protection in Intune](../images/enable-ep-intune.png)
 6. Click **OK** to save each open blade and click **Create**.
-7. Click the profile. Assignments**, assign to **All Users & All Devices**, and click **Save**.
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 

From 2807d1ff9b8144047a35e0ece351da251ebfd1b5 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Wed, 8 Jan 2020 16:09:28 -0800
Subject: [PATCH 10/12] minor updates

---
 windows/client-management/mdm/policy-csp-defender.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c19a6e5c4a..1539c913c4 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -3068,7 +3068,7 @@ The following list shows the supported values:
 
 Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
 
-This value is a list of threat severity level IDs and corresponding actions, separated by a<strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+This value is a list of threat severity level IDs and corresponding actions, separated by a <strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3".
 
 The following list shows the supported values for threat severity levels:
 

From 870b00084417f26f40c5d1c805bc4f7df5204f4f Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Wed, 8 Jan 2020 16:10:21 -0800
Subject: [PATCH 11/12] Changed "dlls" to "DLLs"

---
 .../microsoft-defender-atp/enable-exploit-protection.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 1820384542..36853a0451 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -221,7 +221,7 @@ Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
 Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
 
-<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
+<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll

From dc4d0108f6cb5964ee5dd5bfc455341aef4fca83 Mon Sep 17 00:00:00 2001
From: Dulce Montemayor <Dolcita.Montemayor@microsoft.com>
Date: Thu, 9 Jan 2020 08:31:43 -0800
Subject: [PATCH 12/12] Moved RBAC to GA

---
 .../threat-protection/microsoft-defender-atp/preview.md         | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index c06d033182..b02f8e485d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -45,8 +45,6 @@ The following features are included in the preview release:
 
  - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
 
- - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
-
 - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
  
  - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).