Merge branch 'traya1-delete-folder' into benny-delete-toc-topics

.acrolinx-config.edn

@@ -11,7 +11,7 @@
              }
      :scores {
               ;;:terminology 100
-              :qualityscore 65 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
+              :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
               ;;:spelling 40
              }
    }

browsers/edge/microsoft-edge-kiosk-mode-deploy.md

@@ -11,7 +11,7 @@ ms.prod: edge
 ms.sitesec: library
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 01/17/2020
+ms.date: 02/16/2021
 ---
 
 # Deploy Microsoft Edge Legacy kiosk mode
@@ -22,7 +22,7 @@ ms.date: 01/17/2020
 > Professional, Enterprise, and Education
 
 > [!NOTE]
-> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
+> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode).
 
 In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk.  Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode.
 

windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md

@@ -731,7 +731,6 @@ ms.date: 07/18/2019
 - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
 - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
 - [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
-- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
 - [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
 - [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
 - [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -7571,9 +7571,6 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-search.md#search-allowcloudsearch" id="search-allowcloudsearch">Search/AllowCloudSearch</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowcortanainaad" id="search-allowcortanainaad">Search/AllowCortanaInAAD</a>
-  </dd>
   <dd>
     <a href="./policy-csp-search.md#search-allowfindmyfiles" id="search-allowfindmyfiles">Search/AllowFindMyFiles</a>
   </dd>

windows/client-management/mdm/policy-csp-search.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/12/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -25,9 +25,6 @@ manager: dansimp
   <dd>
     <a href="#search-allowcloudsearch">Search/AllowCloudSearch</a>
   </dd>
-  <dd>
-    <a href="#search-allowcortanainaad">Search/AllowCortanaInAAD</a>
-  </dd>
   <dd>
     <a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a>
   </dd>
@@ -137,7 +134,6 @@ The following list shows the supported values:
 <hr/>
 
 <!--Policy-->
-<a href="" id="search-allowcortanainaad"></a>**Search/AllowCortanaInAAD**  
 
 <!--SupportedSKUs-->
 <table>
@@ -178,30 +174,6 @@ The following list shows the supported values:
 
 <hr/>
 
-<!--/Scope-->
-<!--Description-->
-Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:  
--   GP English name: *Allow Cortana Page in OOBE on an AAD account*
--   GP name: *AllowCortanaInAAD*
--   GP path: *Windows Components/Search*
--   GP ADMX file name: *Search.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup.
--   1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles**  
 

windows/configuration/docfx.json

@@ -37,7 +37,7 @@
       "audience": "ITPro",
       "ms.topic": "article",
       "feedback_system": "None",
-      "hideEdit": true,
+      "hideEdit": false,
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.win-configuration",

windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md

@@ -147,7 +147,7 @@ On **MDT01**:
 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
 
-![acroread](../images/acroread.png)
+![acroread image](../images/acroread.png)
 
 The Adobe Reader application added to the Deployment Workbench.
 
@@ -267,7 +267,7 @@ On **MDT01**:
 
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
 
-![ThinkStation](../images/thinkstation.png)
+![ThinkStation image](../images/thinkstation.png)
 
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
 
@@ -361,6 +361,9 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
 
 ### Configure the rules
 
+> [!NOTE]
+> The following instructions assume the device is online. If you're offline you can remove SLShare variable.
+
 On **MDT01**:
 
 1. Right-click the **MDT Production** deployment share and select **Properties**.
@@ -533,7 +536,7 @@ On **MDT01**:
 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
 
-  ![DaRT](../images/dart.png)
+  ![DaRT image](../images/dart.png)
 
 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
@@ -604,13 +607,13 @@ On **HV01**:
     2.  Installs the added application.
     3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
 
-![pc0005](../images/pc0005-vm.png)
+![pc0005 image1](../images/pc0005-vm.png)
 
 ### Application installation
 
 Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically.
 
- ![pc0005](../images/pc0005-vm-office.png)
+ ![pc0005 image2](../images/pc0005-vm-office.png)
 
 ### Use the MDT monitoring feature
 
@@ -731,7 +734,7 @@ On **MDT01**:
 The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
 
 >[!TIP] 
->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. This means you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\<SkipWimSplit\>True\</SkipWimSplit\>), so this must be changed and the offline media content updated.
+>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\<SkipWimSplit\>True\</SkipWimSplit\>), so this must be changed and the offline media content updated.
 
 Follow these steps to create a bootable USB stick from the offline media content:
 

windows/deployment/update/windows-update-logs.md

@@ -31,7 +31,7 @@ The following table describes the log files created by Windows Update.
 To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). 
 
 >[!NOTE]
->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. 
+>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again. 
  
 ### Windows Update log components 
 The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: 

windows/deployment/vda-subscription-activation.md

@@ -32,25 +32,28 @@ Deployment instructions are provided for the following scenarios:
 - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
 - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
 - VMs must be generation 1.
-- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
 
 ## Activation
 
 ### Scenario 1
+
 - The VM is running Windows 10, version 1803 or later.
 - The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
 
     When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
 
 ### Scenario 2
+
 - The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
 
     [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
 
 ### Scenario 3
+
 - The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
 
-    In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
+    In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
 
 For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience).
 
@@ -69,7 +72,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https:
 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again.
 7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20.
 8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-9. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Open Windows Configuration Designer and click **Provision desktop services**.
 10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
         - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
 11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
@@ -111,7 +114,7 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir
 3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
 4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-6. Open Windows Configuration Designer and click **Provison desktop services**.
+6. Open Windows Configuration Designer and click **Provision desktop services**.
 7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
     1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
     2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.

windows/security/includes/microsoft-defender.md

@@ -11,4 +11,4 @@ ms.topic: include
 ---
 
 > [!IMPORTANT]
-> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office, 365 Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences.
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences.

windows/security/threat-protection/TOC.md

@@ -118,7 +118,6 @@
 #### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
 #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
 
-
 ## Reference
 
 ### [Troubleshoot Microsoft Defender for Endpoint]()

windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md

@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: pahuijbr
 manager: dansimp
-ms.date: 02/04/2021
+ms.date: 02/12/2021
 ms.technology: mde
 ---
 
@@ -78,11 +78,11 @@ All our updates contain
 <br/><br/>
 
 <details>
-<summary> January-2021 (Platform: 4.18.2101.8 | Engine: 1.1.17800.5)</summary>
+<summary> January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)</summary>
 
 &ensp;Security intelligence update version: **1.327.1854.0**  
 &ensp;Released: **February 2, 2021**  
-&ensp;Platform: **4.18.2101.8**  
+&ensp;Platform: **4.18.2101.9**  
 &ensp;Engine: **1.1.17800.5**  
 &ensp;Support phase: **Security and Critical Updates**
     
@@ -93,6 +93,7 @@ All our updates contain
 - Increased visibility for credential stealing attempts
 - Improvements in antitampering features in Microsoft Defender Antivirus services
 - Improved support for ARM x64 emulation
+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
 
 ### Known Issues
 No known issues  
@@ -146,7 +147,7 @@ After a new package version is released, support for the previous two versions i
 &ensp;Released: **October 01, 2020**  
 &ensp;Platform: **4.18.2009.7**  
 &ensp;Engine: **1.1.17500.4**  
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade support (only)**
     
 ### What's new
 
@@ -172,6 +173,7 @@ No known issues
 &ensp;Released: **August 27, 2020**  
 &ensp;Platform: **4.18.2008.9**  
 &ensp;Engine: **1.1.17400.5**  
+&ensp;Support phase: **Technical upgrade support (only)**
 
 ### What's new
 

windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md

@@ -0,0 +1,98 @@
+---
+title: Techniques in the device timeline
+description: Understanding the device timeline in Microsoft Defender for Endpoint
+keywords: device timeline, endpoint, MITRE, MITRE ATT&CK, techniques, tactics
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.technology: mde
+---
+
+# Techniques in the device timeline
+
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+
+You can gain more insight in an investigation by analyzing the events that happened on a specific device. First, select the device of interest from the [Devices list](machines-view-overview.md). On the device page, you can select the **Timeline** tab to view all the events that occurred on the device.
+
+## Understand techniques in the timeline
+
+>[!IMPORTANT]
+>Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+In Microsoft Defender for Endpoint, **Techniques** are an additional data type in the event timeline. Techniques provide more insight on activities associated with [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques. 
+
+This feature simplifies the investigation experience by helping analysts understand the activities that were observed on a device. Analysts can then decide to investigate further.
+
+For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed. 
+
+![Techniques in device timeline screenshot](images/device-timeline-with-techniques.png)
+
+Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information. 
+
+Search and Export options are also available for Techniques.
+
+## Investigate using the side pane
+
+Select a Technique to open its corresponding side pane. Here you can see additional information and insights like related ATT&CK techniques, tactics, and descriptions. 
+
+Select the specific *Attack technique* to open the related ATT&CK technique page where you can find more information about it.
+
+You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon.
+
+![Copy entity details](images/techniques-side-pane-clickable.png)
+
+You can do the same for command lines.
+
+![Copy command line](images/techniques-side-pane-command.png)
+
+
+## Investigate related events
+
+To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique.
+
+![Hunt for related events](images/techniques-hunt-for-related-events.png)
+
+>[!NOTE]
+>Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results.
+
+
+## Customize your device timeline
+
+On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline. 
+
+You can customize which columns to expose. You can also filter for flagged events by data type or by event group.
+
+### Choose columns to expose
+You can choose which columns to expose in the timeline by selecting the **Choose columns** button.
+
+![Customize columns](images/filter-customize-columns.png)
+
+From there you can select which information set to include.
+
+### Filter to view techniques or events only
+
+To view only either events or techniques, select **Filters** from the device timeline and choose your preferred Data type to view.
+
+![Filters screenshot](images/device-timeline-filters.png)
+
+
+
+## See also
+- [View and organize the Devices list](machines-view-overview.md)
+- [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md) 
+
+
+