Merge branch 'master' into proxy

2025-06-23 22:33:41 +00:00 · 2020-04-01 10:51:26 -07:00
parent dd38b1b8e1 62772b0f16
commit e2d8b47664
41 changed files with 609 additions and 439 deletions
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@ -172,17 +172,7 @@ You can try any of the processes included in these scenarios, but you should foc
            </ul>
        </td>
    </tr>
-    <tr>
-        <td>Stop Google Drive from syncing WIP protected files and folders.</td>
-        <td>
-            <ul>
-                <li>In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.</li>
-                <li>Google Drive details</li>
-                Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US
-                File=GOOGLEDRIVESYNC.EXE
-            </ul>
-        </td>
-    </tr>
+    
 </table>

 >[!NOTE]
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -332,8 +332,12 @@
 ###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
 ##### [Update](microsoft-defender-atp/linux-updates.md)
 ##### [Configure]()
+###### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
 ###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
 ###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
+##### [Troubleshoot]()
+###### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
+###### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
 ##### [Resources](microsoft-defender-atp/linux-resources.md)


--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@ -30,13 +30,19 @@ Windows Defender Antivirus is the [next generation protection](https://www.youtu

 **Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**

-### AV-TEST: Protection score of 6.0/6.0 in the latest test
+### AV-TEST: Protection score of 5.5/6.0 in the latest test

 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").

- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
+- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) <sup>**Latest**</sup>

-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889 malware samples used. This industry-leading antivirus solution has consistently achieved a perfect Protection score in all AV-TEST cycles in the past 14 months.
+    Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used.
+
+- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/)
+
+- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/)
+
+- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)

 - May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)

@ -52,9 +58,11 @@ The AV-TEST Product Review and Certification Report tests on three categories: p

 Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.

- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
+- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) <sup>**Latest**</sup>

-    Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.9% in the latest test.
+    Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test.
+
+- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) 

 - Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)

@ -66,9 +74,11 @@ Business Security Test consists of three main parts: the Real-World Protection T

 SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.

- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
+- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) <sup>**pdf**</sup> 

-    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.
+    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats.
+
+- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)

 - Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)

--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@ -25,7 +25,7 @@ ms.topic: conceptual
 >[!NOTE]
 > Secure score is now part of Threat & Vulnerability Management as Configuration score.

-Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
+Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:

 - Application
 - Operating system
@ -33,7 +33,7 @@ Your Configuration score is visible in the [Threat & Vulnerability Management da
 - Accounts
 - Security controls

-A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.

 ## How it works

@ -43,35 +43,31 @@ A higher configuration score means your endpoints are more resilient from cybers
 The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:

 - Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
 - Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
 - Collect and monitor changes of security control configuration state from all assets

-From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
-
 ## Improve your security configuration

-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.

-1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls.
+1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.

 2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.

   ![Security controls related security recommendations](images/tvm_security_controls.png)

-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.

-   >![Request remediation](images/tvm_request_remediation.png).
-
-   You will see a confirmation message that the remediation task has been created.
+4. **Submit request**. You will see a confirmation message that the remediation task has been created.
   >![Remediation task creation confirmation](images/tvm_remediation_task_created.png)

-4. Save your CSV file.
+5. Save your CSV file.
   ![Save csv file](images/tvm_save_csv_file.png)

-5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.

-6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
+7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.

 >[!IMPORTANT]
 >To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
@ -86,17 +82,14 @@ You can improve your security configuration when you remediate issues from the s

 ## Related topics

+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@ -0,0 +1,111 @@
+---
+title: Configure and validate exclusions for Microsoft Defender ATP for Linux
+description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Configure and validate exclusions for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
+
+> [!IMPORTANT]
+> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
+
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
+
+> [!WARNING]
+> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+## Supported exclusion types
+
+The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
+
+Exclusion | Definition | Examples
+---|---|---
+File extension | All files with the extension, anywhere on the machine | .test
+File | A specific file identified by the full path | /var/log/test.log
+Folder | All files under the specified folder | /var/log/
+Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
+
+## How to configure the list of exclusions
+
+### From the management console
+
+For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+### From the command line
+
+Run the following command to see the available switches for managing exclusions:
+
+```bash
+$ mdatp --exclusion
+```
+
+Examples:
+
+- Add an exclusion for a file extension:
+
+    ```bash
+    $ mdatp --exclusion --add-extension .txt
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a file:
+
+    ```bash
+    $ mdatp --exclusion --add-folder /var/log/dummy.log
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a folder:
+
+    ```bash
+    $ mdatp --exclusion --add-folder /var/log/
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a process:
+
+    ```bash
+    $ mdatp --exclusion --add-process cat
+    Configuration updated successfully
+    ```
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using `curl` to download a test file.
+
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
+
+```bash
+$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+```
+
+If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+
+```bash
+echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---

-# Configuring Microsoft Defender ATP for static proxy discovery
+# Configure Microsoft Defender ATP for Linux for static proxy discovery

 **Applies to:**

--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@ -0,0 +1,91 @@
+---
+title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Run the connectivity test
+
+To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
+
+## Troubleshooting steps for environments without proxy or with transparent proxy
+
+To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
+
+```bash
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to:
+
+```
+OK https://x.cp.wd.microsoft.com/api/report
+OK https://cdn.x.cp.wd.microsoft.com/ping
+```
+
+## Troubleshooting steps for environments with static proxy
+
+> [!WARNING]
+> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
+>
+> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
+
+If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
+
+```bash
+$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
+
+To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
+
+```bash
+#Environment="HTTPS_PROXY=http://address:port"
+```
+
+Also ensure that the correct static proxy address is filled in to replace `address:port`.
+
+If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
+
+```bash
+$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+```
+
+Upon success, attempt another connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the problem persists, contact customer support.
+
+## Resources
+
+- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@ -0,0 +1,82 @@
+---
+title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
+description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, performance
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Troubleshoot performance issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+
+Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
+
+Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
+
+The following steps can be used to troubleshoot and mitigate these issues:
+
+1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
+
+    If your device is not managed by your organization, real-time protection can be disabled from the command line:
+
+    ```bash
+    $ mdatp --config realTimeProtectionEnabled false
+    ```
+
+    If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux. 
+
+    > [!NOTE]
+    > This feature is available in version 100.90.70 or newer.
+
+    This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
+ 
+    ```bash
+    $ mdatp config real_time_protection_statistics_enabled on
+    ```
+
+    This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+    ```bash
+    $ mdatp health
+    ```
+
+    Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
+
+    ```bash
+    $ mdatp --config realTimeProtectionEnabled true
+    ```
+
+    To collect current statistics, run:
+
+    ```bash
+    $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+    ```
+
+    The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
+
+    > [!NOTE]
+    > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+
+3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+
+4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+    See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@ -64,7 +64,7 @@ Select the type of exclusion that you wish to add and follow the prompts.

 You can validate that your exclusion lists are working by using `curl` to download a test file.

-In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.

 ```bash
 $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
@ -72,7 +72,7 @@ $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt

 If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).

-If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:

 ```bash
 echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@ -122,7 +122,7 @@ It's important to understand the following prerequisites prior to creating indic

 >[!IMPORTANT]
 > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS): <br>
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
 > NOTE:
 >- IP is supported for all three protocols
 >- Encrypted URLs (full path) can only be blocked on first party browsers
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@ -117,25 +117,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov

 If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).

-## Validating cloud connectivity
-
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
-
-If you prefer the command line, you can also check the connection by running the following command in Terminal:
-
-```bash
-$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to the following:
-
-> `OK https://x.cp.wd.microsoft.com/api/report`  
-> `OK https://cdn.x.cp.wd.microsoft.com/ping`
-
-Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
-```bash
-$ mdatp --connectivity-test
-```
+For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.

 ## How to update Microsoft Defender ATP for Linux

--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@ -96,7 +96,7 @@ Ensure that your machines:
 ## Related topics

 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@ -104,10 +104,6 @@ Ensure that your machines:
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
 - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@ -27,6 +27,16 @@ ms.topic: article

 [!include[Prerelease information](../../includes/prerelease.md)]

+## APIs
+
+Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
+
+- [Machine APIs](machine.md)
+- [Recommendation APIs](vulnerability.md)
+- [Score APIs](score.md)
+- [Software APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)
+
 ## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit

 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
@ -85,16 +95,6 @@ To view a list of version that have reached end of support, or end or support so

 After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.

-## Use APIs
-
-Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
-
- [Machine APIs](machine.md)
- [Recommendation APIs](vulnerability.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
-
 ## Related topics

 - [Supported operating systems and platforms](tvm-supported-os.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@ -85,8 +85,8 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico

 ## Related topics

+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@ -94,4 +94,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@ -70,21 +70,16 @@ To lower your threat and vulnerability exposure, follow these steps.

 6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.

-
 ## Related topics

+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@ -26,61 +26,32 @@ ms.topic: conceptual
 >[!NOTE]
 >To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.

-After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.

 Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.

-## How remediation requests work
+## Navigate to the Remediation page

-When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
-
-The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
-
-## Accessing the remediation page
-
-You can access the remediation page in a few places in the portal:
-
- Security recommendations flyout panel
- Navigation menu
- Top remediation activities in the dashboard
-
-### Security recommendation flyout page
-
-You'll see remediation options when you select one of the security recommendations in the [Security recommendations page](tvm-security-recommendation.md).
-
-1. From the flyout panel, you'll see the security recommendation details including next steps. Select **Remediation options**.
-2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
-3. Select a remediation due date.
-4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
-
-If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+You can access the remediation page though the navigation menu, and top remediation activities in the dashboard.

 ### Navigation menu

-1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
-      
-      To see software which has reached end-of-support, select **Software uninstall** from the **Remediation type** filter. For specific software versions which have reached end-of-support, select **Software update** from the **Remediation type** filter. Select **In progress** then **Apply**.
-![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
-
-2. Select the remediation activity that you want to view.
+Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. Select the remediation activity that you want to view.
 ![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png)

 ### Top remediation activities in the dashboard

-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
-2. Select the remediation activity that you want to view.
+View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.

+## Remediation activities

-## Exception options
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+
+## Exceptions

 You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).

-When you select a [security recommendation](tvm-security-recommendation.md), it opens a flyout screen with details and options for your next steps. Select **Exception options** to fill out the justification and context.
-
-![Screenshot of exception flyout screen](images/tvm-exception-flyout.png)
+[File for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md).

 ### Exception justification

@ -131,18 +102,14 @@ The exception impact shows on both the Security recommendations page column and

 ## Related topics

+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@ -27,7 +27,7 @@ ms.topic: conceptual

 [!include[Prerelease information](../../includes/prerelease.md)]

-Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendation helps shorten the time to mitigate or remediate vulnerabilities and drive compliance.
+Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.

 Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.

@ -43,7 +43,11 @@ Each machine in the organization is scored based on three important factors to h

 ## Navigate to security recommendations

-You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page.
+You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management navigation menu, dashboard, software page, and machine page.
+
+### Navigation menu
+
+Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.

 ### Top security recommendations in the Threat & Vulnerability Management dashboard

@ -53,21 +57,17 @@ In a given day as a Security Administrator, you can take a look at the [Threat &

 The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.

-### Navigation menu
-
-Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
-
 ## Security recommendations overview

-You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
+View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.

-The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
+The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.

 ![Screenshot of security recommendations page](images/tvmsecrec-updated.png)

 ### Icons

-Useful icons also quickly calls your attention to <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>
+Useful icons also quickly calls your attention to: <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>

 ### Investigate

@ -77,22 +77,22 @@ Select the security recommendation that you want to investigate or process.

 From the flyout, you can do any of the following:

- **Open software page** - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
+- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time.

 - **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.

- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.

 >[!NOTE]
 >When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.

 ## Request remediation

-The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.

 ### Enable Microsoft Intune connection

-To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.

 See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.

@ -106,16 +106,18 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT

 4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.

+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
 >[!NOTE]
 >If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.

 ## File for exception

-With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
+As an alternative to a remediation request, you can create exceptions for recommendations.

 There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.

-Exceptions can be created for both *Security update* and *Configuration change* recommendations.
+Exceptions can be created for both Security update and Configuration change recommendations.

 When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.

@ -127,10 +129,8 @@ When an exception is created for a recommendation, the recommendation is no long
 > ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)

 3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)

-4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
+4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past).

 ## Report inaccuracy

@ -149,21 +149,16 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.


-
 ## Related topics

+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md) 
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@ -45,7 +45,8 @@ Some of the above prerequisites might be different from the [Minimum requirement

 ## Related topics

- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@ -53,4 +54,5 @@ Some of the above prerequisites might be different from the [Minimum requirement
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@ -36,7 +36,7 @@ This article  describes how to configure exclusion lists for the files and folde

 Exclusion | Examples | Exclusion list
 ---|---|---
-Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions
+Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test`  | Extension exclusions
 Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
 A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
 A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
@ -292,4 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with

 - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@ -55,8 +55,8 @@ No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new
 **Client Versions**

 | Name | Build | Baseline Release Date | Security Tools |
-|---|---|---|---|
-|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| ---- | ----- | --------------------- | -------------- |
+| Windows 10 | [1809 (October 2018)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019) <br>[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft) <br>[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <br> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <br>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <br>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <br>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018 <br>March 2018 <br>October 2017 <br>August 2017 <br>October 2016 <br>January 2016<br> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
 Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
 Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:

 -   Windows 10 security baselines
+    -   Windows 10 Version 1909 (November 2019 Update)
+    -   Windows 10 Version 1903 (April 2019 Update)
    -   Windows 10 Version 1809 (October 2018 Update)
    -   Windows 10 Version 1803 (April 2018 Update)
    -   Windows 10 Version 1709 (Fall Creators Update)
@ -41,7 +43,11 @@ The Security Compliance Toolkit consists of:
    -   Windows Server 2012 R2

 -   Microsoft Office security baseline
+    -   Office 365 Pro Plus
    -   Office 2016 
+    
+-   Microsoft Edge security baseline
+    -   Edge Browser Version 80

 -   Tools
    -   Policy Analyzer tool