Merge branch 'master' into dg-block-list-rs5

windows/security/threat-protection/TOC.md

@@ -73,8 +73,8 @@
 
 
 #### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Threat analytics](windows-defender-atp/threat-analytics.md)
-###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [Threat analytics](windows-defender-atp/threat-analytics.md)
+
 #### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
 ##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
 ###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
@@ -127,10 +127,10 @@
 
 ### [Configure and manage capabilities](windows-defender-atp/onboard.md)
 #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
-####Hardware-based isolation
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
+#####Hardware-based isolation
+###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
+####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### Device control
 ###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -139,7 +139,6 @@
 ######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
 ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 ##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
 ##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
@@ -235,11 +234,13 @@
 ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
    
-##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
-###### Create your app
-####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
-####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
-###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+##### [Windows Defender ATP API](windows-defender-atp/use-apis.md)
+###### [Get started with Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
+####### [Hello World](windows-defender-atp/api-hello-world.md)
+####### [Get access with application context](windows-defender-atp/exposed-apis-create-app-webapp.md)
+####### [Get access with user context](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+###### [APIs](windows-defender-atp/exposed-apis-list.md)
+
 ####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
 
 ####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
@@ -253,6 +254,33 @@
 ######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
 ######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
 
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+######## [Initiate investigation (preview)](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+
+####### [Indicators (preview)](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md)
+######## [Submit Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md)
+######## [List Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Delete Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md)
+
 ####### Domain
 ######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
@@ -271,28 +299,6 @@
 ######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
 ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
-####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
-######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
-######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
-######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
-
-
-####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
-######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
-######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
-######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
-######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
-######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
-######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
-######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
-######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
-######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
-######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
-######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
-
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
@@ -329,14 +335,15 @@
 ###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
 ###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+###### [Windows Defender ATP SIEM alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+###### [Pull alerts using SIEM REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
 
 ##### Reporting
 ###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
 ###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md)
+###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md)
 
 ##### Role-based access control
 ###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
@@ -381,7 +388,8 @@
   
 #####Rules
 ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
   
@@ -406,6 +414,7 @@
 ####Troubleshoot attack surface reduction
 ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
 ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
  
 #### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
 

windows/security/threat-protection/auditing/event-4716.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 04/04/2019
 ---
 
 # 4716(S): Trusted domain information was modified.
@@ -132,7 +132,7 @@ This event is generated only on domain controllers.
 | 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
 | 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
 | 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
 | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |

windows/security/threat-protection/intelligence/coinminer-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Coin miners
 

windows/security/threat-protection/intelligence/criteria.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # How Microsoft identifies malware and potentially unwanted applications

windows/security/threat-protection/intelligence/exploits-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Exploits and exploit kits
 

windows/security/threat-protection/intelligence/fileless-threats.md

@@ -12,11 +12,12 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Fileless threats
 
-What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. 
+What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate.
 
 Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
 
@@ -25,13 +26,13 @@ To shed light on this loaded term, we grouped fileless threats into different ca
 ![Comprehensive diagram of fileless malware](images/fileless-malware.png)<br>
 *Figure 1. Comprehensive diagram of fileless malware*
 
-We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. 
+We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
 
 Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
 
 Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
 
-This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. 
+This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
 
 From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
 
@@ -39,7 +40,7 @@ From this categorization, we can glean three big types of fileless threats based
 
 A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
 
-Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. 
+Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
 
 Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
 
@@ -68,7 +69,7 @@ Having described the broad categories, we can now dig into the details and provi
 
 **File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
 
-**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. 
+**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
 
 ### Hardware
 
@@ -76,9 +77,9 @@ Having described the broad categories, we can now dig into the details and provi
 
 **CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
 
-**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. 
+**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
 
-**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). 
+**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
 
 **Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
 

windows/security/threat-protection/intelligence/macro-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Macro malware
 

windows/security/threat-protection/intelligence/malware-naming.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Malware names
 

windows/security/threat-protection/intelligence/phishing.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Phishing
@@ -83,6 +84,7 @@ Enterprises should educate and train their employees to be wary of any communica
 Here are several telltale signs of a phishing scam:
 
 * The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
+
     ![example of how exploit kits work](./images/URLhover.png)
 
 * There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.

windows/security/threat-protection/intelligence/prevent-malware-infection.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Prevent malware infection
 

windows/security/threat-protection/intelligence/ransomware-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Ransomware
 

windows/security/threat-protection/intelligence/rootkits-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Rootkits
 

windows/security/threat-protection/intelligence/safety-scanner-download.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Microsoft Safety Scanner
 

windows/security/threat-protection/intelligence/submission-guide.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Submit files for analysis

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Supply chain attacks
@@ -48,15 +49,17 @@ To learn more about supply chain attacks, read this blog post called [attack inc
 
 ### For software vendors and developers
 
-* Take steps to ensure your apps are not compromised.
-
-* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
+* Maintain a highly secure build and update infrastructure.
   * Immediately apply security patches for OS and software.
-
+  * Implement mandatory integrity controls to ensure only trusted tools run.
   * Require multi-factor authentication for admins.
 
-* Build secure software update processes as part of the software development lifecycle.
+* Build secure software updaters as part of the software development lifecycle.
+  * Require SSL for update channels and implement certificate pinning.
+  * Sign everything, including configuration files, scripts, XML files, and packages.
+  * Check for digital signatures, and don’t let the software updater accept generic input and commands.
 
 * Develop an incident response process for supply chain attacks.
+  * Disclose supply chain incidents and notify customers with accurate and timely information
 
 For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).

windows/security/threat-protection/intelligence/support-scams.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Tech support scams
 

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Top scoring in industry tests
@@ -40,9 +41,13 @@ Windows Defender Antivirus is  part of the  [next generation](https://www.youtub
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) <sup>**Latest**</sup>
+- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) <sup>**Latest**</sup>
 
-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples. This is the fourth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
+
+- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
+
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples.
 
 - September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
 

windows/security/threat-protection/intelligence/trojans-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Trojans

windows/security/threat-protection/intelligence/understanding-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: conceptual
+search.appverid: met150
 ---
 # Understanding  malware & other threats
 

windows/security/threat-protection/intelligence/unwanted-software.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Unwanted software
 

windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md

@@ -49,4 +49,4 @@ To be eligible for VIA your organization must:
 
 3. Be willing to sign and adhere to the VIA membership agreement.
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -18,29 +18,25 @@ ms.topic: article
 
 The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
 
-Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers.
+MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to security related events and conferences.
 
-MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences.
-
-MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community.
+MVI requires members to develop and own antimalware technology and to be present in the antimalware industry community.
 
 ## Join MVI
 
 A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology.
 
-The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product.
 
 ### Initial selection criteria
 
-Your organization must meet the following eligibility requirements to participate in the MVI program:
+Your organization must meet the following eligibility requirements to qualify for the MVI program:
 
 1. Offer an antimalware or antivirus product that is one of the following:
 
    * Your organization's own creation.
-   * Licensed from another organization, but your organization adds value such as additional Security intelligence.
-   * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions).
+   * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality.
 
-2. Have your own malware research team unless you distribute a Whitebox product.
+2. Have your own malware research team unless you build a product based on an SDK.
 
 3. Be active and have a positive reputation in the antimalware industry. Your organization is:
 
@@ -51,10 +47,10 @@ Your organization must meet the following eligibility requirements to participat
 
 5. Be willing to sign a program license agreement.
 
-6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows.
+6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows.
 
-7. Submit your AM app to Microsoft for periodic performance testing.
+7. Submit your app to Microsoft for periodic performance testing.
 
 ### Apply now
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/worms-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Worms

windows/security/threat-protection/mbsa-removal-and-guidance.md

@@ -19,12 +19,12 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
 ## The Solution 
 A script can help you with an alternative to MBSA’s patch-compliance checking:
  
-- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. 
+- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. 
 For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
  
 For example:
  
-[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)) 
+[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
 [![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) 
   
 The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.

windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 04/01/2019
 ---
 
 # Audit: Audit the use of Backup and Restore privilege
@@ -80,7 +80,7 @@ When the backup and restore function is used, it creates a copy of the file syst
 ### Countermeasure
 
 Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
-For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879).
+For more information about configuring this key, see [Eventlog Key](https://docs.microsoft.com/windows/desktop/EventLog/eventlog-key).
 
 ### Potential impact
 

windows/security/threat-protection/security-policy-settings/create-global-objects.md

@@ -89,16 +89,6 @@ By default, members of the **Administrators** group, the System account, and ser
 
 When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right.
 
-### Vulnerability
-
->**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
- 
-Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition.
-
-### Countermeasure
-
-Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned.
-
 ### Potential impact
 
 None. Not Defined is the default domain policy configuration.

windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md

@@ -15,12 +15,12 @@ ms.topic: conceptual
 ms.date: 04/19/2017
 ---
 
-# Network security: Configure encryption types allowed for Kerberos Win7 only
+# Network security: Configure encryption types allowed for Kerberos
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting.
+Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
 
 ## Reference
 
@@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Default domain policy| Not defined|
 | Default domain controller policy| Not defined|
 | Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.|
-| Member server effective default settings | None of these encryption types that are available in this policy are allowed.|
-| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|
+| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
+| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
+| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
  
 ## Security considerations
 

windows/security/threat-protection/security-policy-settings/profile-system-performance.md

@@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
 
 ### Default values
 
-By default this setting is Administrators on domain controllers and on stand-alone servers.
+By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers.
 
 The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
 

windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md

@@ -33,6 +33,8 @@ Custom exclusions take precedence over automatic exclusions.
 > [!TIP]
 > Custom and duplicate exclusions do not conflict with automatic exclusions.
 
+
+
 Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
 
 ## Opt out of automatic exclusions
@@ -45,6 +47,9 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig
 > [!NOTE]
 > This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
 
+> [!TIP]
+> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+
 You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
 
 **Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
@@ -382,4 +387,4 @@ This section lists the folder exclusions that are delivered automatically when y
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md

@@ -41,7 +41,7 @@ System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection poi
 Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
 PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
 Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
 
 1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
   

windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md

@@ -45,6 +45,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca
     - **Send safe samples automatically**
     - **Send all samples automatically**
 
+        >[!NOTE]
+        >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
         > [!WARNING]
         > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 
@@ -73,6 +76,9 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
     1. **Send safe samples** (1)
     2. **Send all samples** (3)
 
+        >[!NOTE]
+        >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
         > [!WARNING]
         > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -0,0 +1,513 @@
+---
+title: Microsoft Defender ATP for Mac
+description: Describes how to install and use Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Mac
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. 
+Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. 
+
+## Prerequisites
+You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
+
+You should also have access to Windows Defender Security Center.
+
+### System Requirements
+Microsoft Defender ATP for Mac system requirements:
+- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
+- Disk space during preview: 1GB 
+
+After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+| Service        | Description                          | URL                                                                  |
+| -------------- |:------------------------------------:| --------------------------------------------------------------------:|
+| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` |
+
+To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
+
+```
+    mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
+    OK
+```
+
+We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. 
+SIP is a built-in macOS security feature that prevents low-level tampering with the OS.
+
+## Installation and configuration overview
+There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
+In general you'll need to take the following steps:
+  - [Register macOS devices](#register-macos-devices) with Windows Defender ATP
+  - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
+  - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
+  - [JAMF based deployment](#jamf-based-deployment)
+  - [Manual deployment](#manual-deployment)
+
+## Deploy Microsoft Defender ATP for Mac
+Use any of the supported methods to deploy Microsoft Defender ATP for Mac
+
+## Microsoft Intune based deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+5.  Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+6. From a command prompt, verify that you have the three files. 
+    Extract the contents of the .zip files:
+    
+    ```
+    mavel-macmini:Downloads test$ ls -l
+    total 721688
+    -rw-r--r--  1 test  staff     269280 Mar 15 11:25 IntuneAppUtil
+    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+      inflating: intune/kext.xml
+      inflating: intune/WindowsDefenderATPOnboarding.xml
+      inflating: jamf/WindowsDefenderATPOnboarding.plist
+    mavel-macmini:Downloads test$
+    ```
+7.  Make IntuneAppUtil an executable:
+
+    ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
+
+8. Create the wdav.pkg.intunemac package from wdav.pkg:
+
+    ```
+    mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+    Microsoft Intune Application Utility for Mac OS X
+    Version: 1.0.0.0
+    Copyright 2018 Microsoft Corporation
+
+    Creating intunemac file for /Users/test/Downloads/wdav.pkg
+    Composing the intunemac file output
+    Output written to ./wdav.pkg.intunemac.
+
+    IntuneAppUtil successfully processed "wdav.pkg",
+    to deploy refer to the product documentation.
+    ```
+
+### Client Machine Setup
+You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
+
+1. You'll be asked to confirm device management.
+
+![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
+
+Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**:
+
+![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
+
+2. Select the **Continue** button and complete the enrollment.
+
+You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
+
+3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
+
+![Add Devices screenshot](images/MDATP_5_allDevices.png)
+
+### Create System Configuration profiles
+1.  In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**.
+2.  Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**.
+3.  Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+4.  Select **OK**.
+
+    ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
+
+5.  Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+7.  Repeat these steps with the second profile.  
+8.  Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. 
+9.  Select **Manage > Assignments**.  In the Include tab, select **Assign to All Users & All devices**.
+
+After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
+
+![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
+
+### Publish application
+
+1.  In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+2.  Select **App type=Other/Line-of-business app**.
+3.  Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+4.  Select **Configure** and add the required information.
+5.  Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
+
+    ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
+
+6. Select **OK** and **Add**.
+ 
+    ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
+
+7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**.
+
+    ![Client apps screenshot](images/MDATP_10_ClientApps.png)
+
+8. Change **Assignment type=Required**.
+9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+
+    ![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
+
+10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade:
+
+    ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
+
+### Verify client machine state
+1.  After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences  > Profiles**.
+
+    ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
+    ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
+
+2. Verify the three profiles listed there:
+    ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
+
+3.  The **Management Profile** should be the Intune system profile.
+4.  wdav-config and wdav-kext are system configuration profiles that we added in Intune.
+5.  You should also see the Microsoft Defender icon in the top-right corner:
+
+    ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+## JAMF based deployment
+### Prerequsites
+You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. 
+
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+5. From a command prompt, verify that you have the two files. 
+    Extract the contents of the .zip files:
+    
+    ```
+    mavel-macmini:Downloads test$ ls -l
+    total 721160
+    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+    inflating: intune/kext.xml
+     inflating: intune/WindowsDefenderATPOnboarding.xml
+     inflating: jamf/WindowsDefenderATPOnboarding.plist
+    mavel-macmini:Downloads test$
+    ``` 
+
+### Create JAMF Policies
+You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines.
+
+#### Configuration Profile
+The configuration profile contains one custom settings payload that includes:
+
+- Microsoft Defender ATP for Mac onboarding information 
+- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run
+
+
+1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File.
+
+    >[!NOTE]
+    > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain.
+
+    ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
+
+#### Approved Kernel Extension
+
+To approve the kernel extension:
+1.  In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
+2.  Use **UBF8T346G9** for Team Id.
+
+![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
+
+#### Configuration Profile's Scope 
+Configure the appropriate scope to specify the machines that will receive this configuration profile.
+
+Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. 
+
+![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
+
+Save the **Configuration Profile**.
+
+Use the **Logs** tab to monitor deployment status for each enrolled machine.
+
+#### Package
+1. Create a package in **Settings > Computer Management > Packages**.
+
+    ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
+
+2. Upload wdav.pkg to the Distribution Point. 
+3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
+
+#### Policy
+Your policy should contain a single package for Microsoft Defender.
+
+![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png)
+
+Configure the appropriate scope to specify the computers that will receive this policy.
+
+After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine.
+
+### Client machine setup
+You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment.
+
+> [!NOTE]
+>  After a computer is enrolled, it will show up in the Computers inventory (All Computers). 
+
+1.  Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
+
+![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
+![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
+
+After some time, the machine's User Approved MDM status will change to Yes. 
+
+![MDM status screenshot](images/MDATP_23_MDMStatus.png)
+
+You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
+
+
+### Deployment
+Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
+
+#### Status on server
+You can monitor the deployment status in the Logs tab:
+ - **Pending** means that the deployment is scheduled but has not yet happened 
+ - **Completed** means that the deployment succeeded and is no longer scheduled
+
+![Status on server screenshot](images/MDATP_24_StatusOnServer.png)
+
+
+#### Status on client machine
+After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile.
+
+![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
+
+After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+You can monitor policy installation on a machine by following the JAMF's log file:
+
+```
+mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
+Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
+Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
+Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
+Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
+```
+
+You can also check the onboarding status:
+```
+mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+uuid            : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+orgid           : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid managed   : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+```
+
+- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
+
+- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
+
+### Uninstalling Microsoft Defender ATP for Mac
+#### Uninstalling with a script
+
+Create a script in **Settings > Computer Management > Scripts**.
+
+![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
+
+For example, this script removes Microsoft Defender ATP from the /Applications directory:
+
+```
+echo "Is WDAV installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Uninstalling WDAV..."
+rm -rf '/Applications/Microsoft Defender.app'
+
+echo "Is WDAV still installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Done!"
+```
+
+#### Uninstalling with a policy
+Your policy should contain a single script:
+
+![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
+
+Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
+
+### Check onboarding status
+
+You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
+
+```
+/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+```
+
+This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
+
+## Manual deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+
+5. From a command prompt, verify that you have the two files. 
+    Extract the contents of the .zip files:
+    
+    ```
+   mavel-macmini:Downloads test$ ls -l
+    total 721152
+    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
+    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    Archive:  WindowsDefenderATPOnboardingPackage.zip
+    inflating: WindowsDefenderATPOnboarding.py
+    ``` 
+
+### Application installation
+To complete this process, you must have admin privileges on the machine.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+    ![App install screenshot](images/MDATP_28_AppInstall.png)
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+    ![App install screenshot](images/MDATP_29_AppInstallLogin.png)
+
+   > [!IMPORTANT]
+   > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
+
+   ![App install screenshot](images/MDATP_30_SystemExtension.png)
+
+3. Select **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Select **Allow**:
+
+    ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
+
+
+The installation will proceed.
+
+> [!NOTE]
+> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+
+### Client configuration
+1.  Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
+
+    The client machine is not associated with orgId.  Note that the orgid is blank.
+
+    ```
+    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+    orgid :
+    ```
+2.  Install the configuration file on a client machine:
+
+    ```
+    mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
+    Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
+    ```
+
+3.  Verify that the machine is now associated with orgId:
+
+    ```
+    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+    orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
+    ```
+After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+   ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
+
+## Uninstallation
+### Removing Microsoft Defender ATP from Mac devices
+To remove Microsoft Defender ATP from your macOS devices:
+
+- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
+
+Or, from a command line:
+
+- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
+
+## Known issues
+- Microsoft Defender ATP is not yet optimized for performance or disk space.
+- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device).
+- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
+- Full Windows Defender ATP integration is not yet available
+- Not localized yet
+- There might be accessibility issues 
+
+## Collecting diagnostic information
+If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+
+1) Increase logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --verbose
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+2) Reproduce the problem
+
+3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
+
+    ```
+    mavel-mojave:~ testuser$ mdatp --diagnostic
+    Creating connection to daemon
+    Connection established
+    "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
+    ```    
+   
+4) Restore logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --info
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+   
+### Installation issues
+If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. 
+
+ 
+For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_.

windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md

@@ -75,7 +75,7 @@ Location | Setting | Description | Default setting (if not configured)
 Scan | Specify the scan type to use for a scheduled scan | Quick scan
 Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
 Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
 
 **Use PowerShell cmdlets to schedule scans:**
 

windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -8,7 +8,8 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 11/07/2017
+ms.date: 03/28/2019
+
 ---
 
 # Frequently asked questions - Windows Defender Application Guard 
@@ -22,7 +23,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
 | | |
 |---|----------------------------|
 |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
-|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|

windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md

@@ -76,6 +76,11 @@ Application Guard functionality is turned off by default. However, you can quick
    Application Guard and its underlying dependencies are all installed.
 
 **To install by using PowerShell**
+
+>[!NOTE]
+>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
+
+
 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
    
 2. Right-click **Windows PowerShell**, and then click **Run as administrator**.

windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio
 
 |Software|Description|
 |--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
+|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Education edition, version 1709 or higher<br>Windows 10 Pro Education edition, version 1803 or higher|
 |Browser|Microsoft Edge and Internet Explorer|
 |Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 01/16/2019
+ms.date: 03/15/2019
 ---
 
 # Application Guard testing scenarios
@@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 **To test Application Guard in Standalone mode**
 
-1.	Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide.
+1.	[Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
 
 2.	Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
 
@@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
 ### Install, set up, and turn on Application Guard
 Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
 
-1.	Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide.
+1.	[Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard).
 
 2.	Restart the device and then start Microsoft Edge.
 
@@ -68,7 +68,7 @@ Before you can use Application Guard in enterprise mode, you must install Window
 
 4.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
 
-5.	Click **Enabled** and click **OK**.
+5.	Click **Enabled**, choose Option **1**, and click **OK**.
 
     ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
 

windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 11/27/2018
+ms.date: 03/28/2019
 ---
 
 # Windows Defender Application Guard overview
@@ -40,7 +40,7 @@ Application Guard has been created to target several types of systems:
 | | |
 |---|----------------------------|
 |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
-|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -70,8 +70,8 @@
 
 
 ### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
-#### [Threat analytics](threat-analytics.md)
-#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+### [Threat analytics](threat-analytics.md)
+
 
 
 ### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
@@ -136,7 +136,6 @@
 ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
 #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
@@ -232,11 +231,13 @@
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
   
 
-#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
-##### Create your app
-###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
-###### [Get access without a user](exposed-apis-create-app-webapp.md)
-##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+#### [Windows Defender ATP API](use-apis.md)
+##### [Get started with Windows Defender ATP APIs](apis-intro.md)
+###### [Hello World](api-hello-world.md)
+###### [Get access with application context](exposed-apis-create-app-webapp.md)
+###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
+##### [APIs](exposed-apis-list.md)
+
 ###### [Advanced Hunting](run-advanced-query-api.md)
 
 ###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
@@ -250,24 +251,6 @@
 ####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
 ####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
 
-###### Domain
-####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
-####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
-
-###### [File](files-windows-defender-advanced-threat-protection-new.md)
-####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
-####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
-
-###### IP
-####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
-####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
-
 ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
 ####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
@@ -288,6 +271,30 @@
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+####### [Initiate investigation (preview)](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+
+###### [Indicators (preview)](ti-indicator-windows-defender-advanced-threat-protection-new.md)
+####### [Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md)
+####### [List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -318,14 +325,15 @@
 ##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 ##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP SIEM alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
 
 #### Reporting
 ##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md)
+##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md)
 
 #### Role-based access control
 ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
@@ -367,7 +375,8 @@
  
 ####Rules
 ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
  
@@ -394,5 +403,7 @@
 ###Troubleshoot attack surface reduction
 #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
 #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
+
  
 ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -104,7 +104,6 @@ Content-type: application/json
     "rbacGroupId": 140,
 	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
-	"isAadJoined": true,
     "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 	"machineTags": [ "test tag 1", "test tag 2" ]
 }

windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 11/16/2018
 ---
 
 # Configure advanced features in Windows Defender ATP
@@ -40,11 +39,11 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 
 >[!NOTE]
 > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it.
+>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 
 
 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
+This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#block-files-in-your-network) for more details.
 
 If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
 
@@ -59,6 +58,10 @@ For more information, see [Investigate a user account](investigate-user-windows-
 ## Skype for Business integration
 Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
 
+>[!NOTE]
+> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode. 
+
+
 ## Azure Advanced Threat Protection integration
 The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
 
@@ -87,6 +90,14 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
 
+## Microsoft Threat Experts
+This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
+
+>[!NOTE]
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+
+
 ## Microsoft Cloud App Security
 Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. 
 

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -14,16 +14,15 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # Alert resource type
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease<73>information](prerelease.md)]
 
-Represents an alert entity in WDATP.
+Represents an alert entity in Windows Defender ATP.
 
 # Methods
 Method|Return Type |Description

windows/security/threat-protection/windows-defender-atp/api-hello-world.md

@@ -0,0 +1,189 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Windows Defender ATP API - Hello World 
+
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## Get Alerts using a simple PowerShell script
+
+### How long it takes to go through this example?
+It only takes 5 minutes done in two steps:
+- Application registration
+- Use examples: only requires copy/paste of a short PowerShell script
+
+### Do I need a permission to connect?
+For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant.
+
+### Step 1 - Create an App in Azure Active Directory
+
+1.	Log on to [Azure](https://portal.azure.com) with your Global administrator user.
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the registration form, enter the following information, then click **Create**.
+
+    - **Name:** Choose your own name. 
+    - **Application type:** Web app / API
+    - **Redirect URI:** `https://127.0.0.1`
+
+	![Image of Create application window](images/webapp-create.png)
+
+4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission:
+
+	- Click **Settings** > **Required permissions** > **Add**.
+
+	![Image of new app in Azure](images/webapp-add-permission.png)
+
+	- Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+	![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+	- Click **Select permissions** > **Read all alerts** > **Select**.
+
+	![Image of API access and API selection](images/webapp-add-permission-readalerts.png)
+
+	- Click **Done**
+
+	![Image of add permissions completion](images/webapp-add-permission-end.png)
+
+	- Click **Grant permissions**
+
+	**Note**: Every time you add permission you must click on **Grant permissions**.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+5. Create a key for your App:
+
+	- Click **Keys**, type a key name and click **Save**.
+
+	![Image of create app key](images/webapp-create-key.png)
+
+6. Write down your App ID and your Tenant ID:
+
+	- App ID: 
+
+	![Image of created app id](images/webapp-app-id1.png)
+
+	- Tenant ID: Navigate to **Azure Active Directory** > **Properties**
+
+	![Image of create app key](images/api-tenant-id.png)
+
+
+Done! You have successfully registered an application! 
+
+### Step 2 - Get a token using the App and use this token to access the API.
+
+-	Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
+-	Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
+
+```
+# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
+# Paste below your Tenant ID, App ID and App Secret (App key).
+ 
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your app ID here
+$appSecret = '' ### Paste your app key here
+ 
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$token = $authResponse.access_token
+Out-File -FilePath "./Latest-token.txt" -InputObject $token
+return $token
+
+```
+
+-	Sanity Check:<br>
+Run the script.<br>
+In your browser go to: https://jwt.ms/ <br>
+Copy the token (the content of the Latest-token.txt file).<br>
+Paste in the top box.<br>
+Look for the "roles" section. Find the Alert.Read.All role.
+
+![Image jwt.ms](images/api-jwt-ms.png)
+
+### Lets get the Alerts!
+
+-	The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
+-   Save this script in the same folder you saved the previous script **Get-Token.ps1**. 
+-	The script creates two files (json and csv) with the data in the same folder as the scripts.
+
+```
+# Returns Alerts created in the past 48 hours.
+ 
+$token = ./Get-Token.ps1       #run the script Get-Token.ps1  - make sure you are running this script from the same folder of Get-Token.ps1
+
+# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
+$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")       
+
+# The URL contains the type of query and the time filter we create above
+# Read more about other query options and filters at   Https://TBD- add the documentation link
+$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
+ 
+# Set the WebRequest headers
+$headers = @{ 
+    'Content-Type' = 'application/json'
+    Accept = 'application/json'
+    Authorization = "Bearer $token" 
+}
+
+# Send the webrequest and get the results. 
+$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
+
+# Extract the alerts from the results. 
+$alerts =  ($response | ConvertFrom-Json).value | ConvertTo-Json
+ 
+# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
+$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}    
+ 
+# Save the result as json and as csv
+$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"     
+$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
+ 
+Out-File -FilePath $outputJsonPath -InputObject $alerts
+($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation 
+
+```
+
+You’re all done! You have just successfully:
+-	Created and registered and application
+-	Granted permission for that application to read alerts
+-	Connected the API
+-	Used a PowerShell script to return alerts created in the past 48 hours
+
+
+
+## Related topic
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md

@@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/16/2017
 ---
 
-# Windows Defender ATP alert API fields
+# Windows Defender ATP SIEM alert API fields
 
 **Applies to:**
 

windows/security/threat-protection/windows-defender-atp/apis-intro.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Advanced Threat Protection API overview  
 description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
-keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,48 +14,52 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 09/03/2018
 ---
 
 # Windows Defender ATP API overview
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
-
-[!include[Prerelease information](prerelease.md)]
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
 
-As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+You can access Windows Defender ATP API with **Application Context** or **User Context**.
 
-## Delegated permissions, application permissions, and effective permissions
+- **Application Context: (Recommended)** <br>
+    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
 
-Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+	Steps that need to be taken to access Windows Defender ATP API with application context:
 
-- **Delegated permissions** <br> 
-    Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
-- **Application permissions** <br>
-    Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+	1. Create an AAD Web-Application.
+	2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 
+	3. Create a key for this Application.
+	4. Get token using the application with its key.
+	5. Use the token to access Windows Defender ATP API
 
-Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+	For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
 
-- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
 
-	For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+- **User Context:** <br>
+    Used to perform actions in the API on behalf of a user.
 
-- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+	Steps that needs to be taken to access Windows Defender ATP API with application context:
+	1. Create AAD Native-Application.
+	2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 
+	3. Get token using the application with user credentials.
+	4. Use the token to access Windows Defender ATP API
+
+	For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
 
 
 ## Related topics
-- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
-- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
-- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md

@@ -66,7 +66,7 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
 Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
 ```
 
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
 
 ## Assign user access using the Azure portal
 For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).

windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be
      <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
      <tr>
      <td>Refresh Token</td>
-     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
+     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
      </td>
      </tr>
      </tr>

windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -52,8 +52,13 @@ You can create rules that determine the machines and alert severities to send em
     - **Rule name** - Specify a name for the notification rule.
     - **Include organization name** - Specify the customer name that appears on the email notification.
     - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
+    - **Include machine information** - Includes the machine name in the email alert body.
+    
+        >[!NOTE]
+        > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Windows Defender ATP data.
+
     - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
-    - **Alert severity** - Choose the alert severity level
+    - **Alert severity** - Choose the alert severity level.
 
 4. Click **Next**.
 	

windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md

@@ -48,7 +48,7 @@ ms.date: 04/24/2018
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
 
@@ -78,7 +78,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
     b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
 
-2.  Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+2.  Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**.
 
 3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
 
@@ -110,7 +110,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3.	Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3.	Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
 

windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -92,7 +92,7 @@ Possible values are:
 
 The default value in case the registry key doesn’t exist is 1.
 
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 
 
@@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -155,7 +155,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
 Name: “OnboardingState”
 Value: “1”
 ```
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 ## Related topics
 - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md

@@ -81,27 +81,49 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
     
     c.  Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages. <br>
 
-    **Step 2: Open a support ticket**
-    
- >[!NOTE]
- >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account.  However, you will not be charged for the Experts-on-demand service during the preview.
-
+    **Step 2: Open a support ticket**    
+    >[!NOTE]
+    >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account.  However, you will not be charged for the Experts-on-demand service during the preview.
+ 
     a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**: <br>
 
-     - **Select the product family**: **Security**
-     - **Select a product**: **Microsoft Threat Experts**
-     - **Select a category that best describes the issue**: **Windows Defender ATP**
-     - **Select a problem that best describes the issue**: Choose according to your inquiry category  
+    **Select the product family**: **Security**<br>
+    **Select a product**: **Microsoft Threat Experts**<br>
+    **Select a category that best describes the issue**: **Windows Defender ATP**<br>
+    **Select a problem that best describes the issue**: Choose according to your inquiry category<br>  
        
-    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
+    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.  <br>
     
-    c. In the **Select a support plan** page, select **Professional No Charge**.
+    c. In the **Select a support plan** page, select **Professional No Charge**. <br>
 
-    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
+    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**. <br>
     
-    e. Verify your contact details and add another if necessary. Then, click **Next**.
+    e. Verify your contact details and add another if necessary. Then, click **Next**. <br>
 
-    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
+    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. <br>
+
+## Sample questions to ask Microsoft Threat Experts
+**Alert information**
+- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
+- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
+- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. 
+
+**Possible machine compromise**
+- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
+- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
+
+**Threat intelligence details**
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
+- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor? 
+
+**Microsoft Threat Experts’ alert communications** 
+- Can your incident response team help us address the targeted attack notification that we got?
+- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
+- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
+
+ >[!NOTE]
+ >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
 
 ## Scenario
 

windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -165,6 +165,9 @@ If at least one of the connectivity options returns a (200) status, then the Win
 
 However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
 
+> [!NOTE]
+> When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it can't access the defined proxy.
+
 ## Related topics
 - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -1,224 +1,238 @@
----
-title: Onboard servers to the Windows Defender ATP service
-description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 12/14/2018
----
-
-# Onboard servers to the Windows Defender ATP service
-
-**Applies to:**
-
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server, 2019
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-
-
-Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
-
-The service supports the onboarding of the following servers:
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server 2019
-
-
-For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-
-## Windows Server 2012 R2 and Windows Server 2016
-
-To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to:
-
-- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
-
-    >[!NOTE]
-    >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-
-- Turn on server monitoring from Windows Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
-
->[!TIP]
-> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
-
-### Configure and update System Center Endpoint Protection clients
->[!IMPORTANT]
->This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-
-Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
-
-The following steps are required to enable this integration: 
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
-
-
-### Turn on Server monitoring from the Windows Defender Security Center portal
-
-1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-
-2. Select Windows Server 2012R2 and 2016 as the operating system.
- 
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
-
-<span id="server-mma"/>
-### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
-
-1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
-
-2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
-    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
-    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
-    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
-
-3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
-
-Once completed, you should see onboarded servers in the portal within an hour.
-
-<span id="server-proxy"/>
-### Configure server proxy and Internet connectivity settings
- 
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
-
-Agent Resource    |    Ports 
-:---|:---
-|    *.oms.opinsights.azure.com    |    443    |
-|    *.blob.core.windows.net    |    443    |
-|    *.azure-automation.net    |    443    |
-|    *.ods.opinsights.azure.com    |    443    |
-|    winatp-gw-cus.microsoft.com     |    443    |
-|    winatp-gw-eus.microsoft.com    |    443    |
-|    winatp-gw-neu.microsoft.com    |    443    |
-|    winatp-gw-weu.microsoft.com    |    443    |
-|winatp-gw-uks.microsoft.com | 443 |
-|winatp-gw-ukw.microsoft.com | 443 | 
-| winatp-gw-aus.microsoft.com | 443| 
-| winatp-gw-aue.microsoft.com |443 | 
-
-## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
-
-Supported tools include:
-- Local script
-- Group Policy 
-- System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
-- VDI onboarding scripts for non-persistent machines
-
- For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
-
-1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
-
-2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
-
-    a. Set the following registry entry:
-       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-       - Name: ForceDefenderPassiveMode
-       - Value: 1
-
-    b. Run the following PowerShell command to verify that the passive mode was configured:
-
-       ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
-
-    c. Confirm  that a recent event containing the passive mode event is found:
-       
-       ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
-
-3. Run the following command to check if Windows Defender AV is installed:
-
-   ```sc query Windefend```
-
-    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
-
-
-## Integration with Azure Security Center
-Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature. 
-
-The following capabilities are included in this integration:
-- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
-
-    >[!NOTE]
-    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
-
-- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
-- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
-
->[!IMPORTANT]
->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
->- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-
-
-
-## Offboard servers 
-You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
-
-For other server versions, you have two options to offboard servers from the service:
-- Uninstall the MMA agent
-- Remove the Windows Defender ATP workspace configuration
-
->[!NOTE]
->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
-
-### Uninstall servers by uinstalling the MMA agent
-To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
-For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
-
-### Remove the Windows Defender ATP workspace configuration
-To offboard the server, you can use either of the following methods:
-
-- Remove the Windows Defender ATP workspace configuration from the MMA agent 
-- Run a PowerShell command to remove the configuration
-
-#### Remove the Windows Defender ATP workspace configuration from the MMA agent 
-
-1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
-
-2. Select the Windows Defender ATP workspace, and click **Remove**.
-
-    ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png)
-
-#### Run a PowerShell command to remove the configuration
-
-1. Get your Workspace ID:
-   a. In the navigation pane, select **Settings** > **Onboarding**.
-
-   b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID:
-    
-        ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
-
-2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
-
-    ```
-    # Load agent scripting object
-    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
-    # Remove OMS Workspace
-    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
-    # Reload the configuration and apply changes
-    $AgentCfg.ReloadConfiguration()
-    ```
-
-## Related topics
-- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
-- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+---
+title: Onboard servers to the Windows Defender ATP service
+description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Onboard servers to the Windows Defender ATP service
+
+**Applies to:**
+
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server, 2019
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
+
+
+Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+
+The service supports the onboarding of the following servers:
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server 2019
+
+
+For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
+
+## Windows Server 2012 R2 and Windows Server 2016
+
+There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP:
+
+- **Option 1**: Onboard through Azure Security Center
+- **Option 2**: Onboard through Windows Defender Security Center
+
+### Option 1: Onboard servers through Azure Security Center
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+
+3. Click **Onboard Servers in Azure Security Center**. 
+
+4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+
+### Option 2: Onboard servers through Windows Defender Security Center
+You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. 
+
+- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+
+    >[!NOTE]
+    >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+- Turn on server monitoring from Windows Defender Security Center.
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+
+
+>[!TIP]
+> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
+
+### Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
+
+### Turn on Server monitoring from the Windows Defender Security Center portal
+
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+ 
+3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+
+<span id="server-mma"/>
+### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
+
+1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
+
+2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
+    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
+    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
+
+3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+
+Once completed, you should see onboarded servers in the portal within an hour.
+
+<span id="server-proxy"/>
+### Configure server proxy and Internet connectivity settings
+ 
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+Agent Resource    |    Ports 
+:---|:---
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+|winatp-gw-uks.microsoft.com | 443 |
+|winatp-gw-ukw.microsoft.com | 443 | 
+| winatp-gw-aus.microsoft.com | 443| 
+| winatp-gw-aue.microsoft.com |443 | 
+
+## Windows Server, version 1803 and Windows Server 2019
+To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
+
+Supported tools include:
+- Local script
+- Group Policy 
+- System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
+- VDI onboarding scripts for non-persistent machines
+
+ For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
+
+1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
+
+2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+
+    a. Set the following registry entry:
+       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+       - Name: ForceDefenderPassiveMode
+       - Value: 1
+
+    b. Run the following PowerShell command to verify that the passive mode was configured:
+
+       ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
+
+    c. Confirm  that a recent event containing the passive mode event is found:
+       
+       ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
+
+3. Run the following command to check if Windows Defender AV is installed:
+
+   ```sc query Windefend```
+
+    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
+
+## Integration with Azure Security Center
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+>[!NOTE]
+>You'll need to have the appropriate license to enable this feature. 
+
+The following capabilities are included in this integration:
+- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
+
+    >[!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+
+- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
+- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
+
+>[!IMPORTANT]
+>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
+>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
+
+
+
+## Offboard servers 
+You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
+
+For other server versions, you have two options to offboard servers from the service:
+- Uninstall the MMA agent
+- Remove the Windows Defender ATP workspace configuration
+
+>[!NOTE]
+>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+
+### Uninstall servers by uinstalling the MMA agent
+To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
+For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
+
+### Remove the Windows Defender ATP workspace configuration
+To offboard the server, you can use either of the following methods:
+
+- Remove the Windows Defender ATP workspace configuration from the MMA agent 
+- Run a PowerShell command to remove the configuration
+
+#### Remove the Windows Defender ATP workspace configuration from the MMA agent 
+
+1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
+
+2. Select the Windows Defender ATP workspace, and click **Remove**.
+
+    ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png)
+
+#### Run a PowerShell command to remove the configuration
+
+1. Get your Workspace ID:
+   a. In the navigation pane, select **Settings** > **Onboarding**.
+
+   b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
+    
+        ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
+
+2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
+
+    ```
+    # Load agent scripting object
+    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
+    # Remove OMS Workspace
+    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+    # Reload the configuration and apply changes
+    $AgentCfg.ReloadConfiguration()
+    ```
+
+## Related topics
+- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md

@@ -22,7 +22,6 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 

windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/29/2018
 ---
 
 

windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -1,6 +1,6 @@
 ---
-title: Delete Ti Indicator.
-description: Deletes Ti Indicator entity by ID.
+title: Delete Indicator API.
+description: Deletes Indicator entity by ID.
 keywords: apis, public api, supported apis, delete, ti indicator, entity, id
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -14,33 +14,33 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
-# Delete TI Indicator API
+# Delete Indicator API
+
+**Applies to:**  
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease<73>information](prerelease.md)]
 
 >[!Note]
-> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
 
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Retrieves a TI Indicator entity by ID.
+- Deletes an Indicator entity by ID.
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+Application |	Ti.ReadWrite.All |	'Read and write Indicators'
 
 
 ## HTTP request
 ```
-Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+Delete https://api.securitycenter.windows.com/api/indicators/{id}
 ```
 
 [!include[Improve request performance](improverequestperformance-new.md)]
@@ -57,8 +57,8 @@ Authorization | String | Bearer {token}. **Required**.
 Empty
 
 ## Response
-If TI Indicator exist and deleted successfully - 204 OK without content.
-If TI Indicator with the specified id was not found - 404 Not Found.
+If Indicator exist and deleted successfully - 204 OK without content.
+If Indicator with the specified id was not found - 404 Not Found.
 
 ## Example
 
@@ -67,7 +67,7 @@ If TI Indicator with the specified id was not found - 404 Not Found.
 Here is an example of the request.
 
 ```
-DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
 ```
 
 **Response**

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -19,33 +19,30 @@ ms.date: 09/03/2018
 
 # Use Windows Defender ATP APIs
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](prerelease.md)]
 
 
-This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+This page describes how to create an application to get programmatic access to Windows Defender ATP on behalf of a user.
 
-If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+If you need programmatic access Windows Defender ATP without a user, refer to [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md).
 
 If you are not sure which access you need, read the [Introduction page](apis-intro.md).
 
-Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
-This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token.
 
 >[!NOTE]
-> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user permission.
 > If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). 
 
 >[!TIP]
@@ -53,7 +50,7 @@ This page explains how to create an app, get an access token to Windows Defender
 
 ## Create an app
 
-1.	Log on to [Azure](https://portal.azure.com).
+1.	Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
 2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
@@ -78,13 +75,10 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
-6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+6. Click **Select permissions** > **Check the desired permissions** > **Select**.
 	
 	>[!IMPORTANT]
     >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
-
-    ![Image of select permissions](images/nativeapp-select-permissions.png)
-
 	For instance,
 
     - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
@@ -92,6 +86,8 @@ This page explains how to create an app, get an access token to Windows Defender
 
        To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
 
+    ![Image of select permissions](images/nativeapp-select-permissions.png)
+
 
 7. Click **Done**
 
@@ -116,39 +112,51 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 
 ### Using C#
 
-The  code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
-
-- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
+- Copy/Paste the below class in your application.
+- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
 
 	```
-	using Microsoft.IdentityModel.Clients.ActiveDirectory;
-	```
+	namespace WindowsDefenderATP
+	{
+		using System.Net.Http;
+		using System.Text;
+		using System.Threading.Tasks;
+		using Newtonsoft.Json.Linq;
 
-- Copy/Paste the below code in your application (pay attention to the comments in the code)
+		public static class WindowsDefenderATPUtils
+		{
+			private const string Authority = "https://login.windows.net";
 
-	```
-	const string authority = "https://login.windows.net";
-	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+			private const string WdatpResourceId = "https://api.securitycenter.windows.com";
 
-	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
-	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+			public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
+			{
+				using (var httpClient = new HttpClient())
+				{
+					var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
 
-	string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
-	string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! 
+					var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
 
-	UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+					using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
+					{
+						response.EnsureSuccessStatusCode();
 
-	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
-	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
-	string token = authenticationResult.AccessToken;
+						var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+
+						var jObject = JObject.Parse(json);
+
+						return jObject["access_token"].Value<string>();
+					}
+				}
+			}
+		}
+	}
 	```
 
 ## Validate the token
 
 Sanity check to make sure you got a correct token:
-- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it
 - Validate you get a 'scp' claim with the desired app permissions
 - In the screenshot below you can see a decoded token acquired from the app in the tutorial:
 
@@ -168,12 +176,11 @@ Sanity check to make sure you got a correct token:
 
 	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
 
-	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
 	// Do something useful with the response
 	```
 
 ## Related topics
-- [Windows Defender ATP APIs](apis-intro.md)
-- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
-- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md

@@ -19,32 +19,30 @@ ms.date: 09/03/2018
 
 # Create an app to access Windows Defender ATP without a user
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](prerelease.md)]
 
-This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+This page describes how to create an application to get programmatic access to Windows Defender ATP without a user.
 
-If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+If you need programmatic access Windows Defender ATP on behalf of a user, see [Get access wtih user context](exposed-apis-create-app-nativeapp.md)
 
-If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+If you are not sure which access you need, see [Get started](apis-intro.md).
 
 Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
-This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token.
 
 ## Create an app
 
-1.	Log on to [Azure](https://portal.azure.com).
+1.	Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
 2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
@@ -54,9 +52,9 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of Create application window](images/webapp-create.png)
 
-    - **Name:** WdatpEcosystemPartner
+    - **Name:** Choose your own name. 
     - **Application type:** Web app / API
-    - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+    - **Redirect URI:** `https://127.0.0.1`
 
 
 4.	Click **Settings** > **Required permissions** > **Add**.
@@ -69,18 +67,17 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
-6. Click **Select permissions** > **Run advanced queries** > **Select**.
+6. Click **Select permissions** > **Check the desired permissions** > **Select**.
 	
-	**Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
-
-    ![Image of select permissions](images/webapp-select-permission.png)
+	**Important note**: You need to select the relevant permissions. 'Run advanced queries' is only an example!
 
 	For instance,
 
 	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
 	- To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+	- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
 
-	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+    ![Image of select permissions](images/webapp-select-permission.png)
 
 7. Click **Done**
 
@@ -94,7 +91,7 @@ This page explains how to create an app, get an access token to Windows Defender
 
 	![Image of Grant permissions](images/webapp-grant-permissions.png)
 
-9. Click **Keys** and type a key name and click **Save**.
+9. Click **Keys**, type a key name and click **Save**.
 
 	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
 
@@ -102,9 +99,9 @@ This page explains how to create an app, get an access token to Windows Defender
 
 10. Write down your application ID.
     
-	![Image of app ID](images/webapp-get-appid.png)
+	![Image of created app id](images/webapp-app-id1.png)
 
-11. Set your application to be multi-tenanted
+11. **For Windows Defender ATP Partners only** - Set your application to be multi-tenanted
 	
 	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
 
@@ -114,26 +111,54 @@ This page explains how to create an app, get an access token to Windows Defender
 
 	![Image of multi tenant](images/webapp-edit-multitenant.png)
 
+	- Application consent for your multi-tenant App:
+	
+	You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Windows Defender ATP application on behalf of your customer.
 
-## Application consent
-You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+	You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
 
-You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+	Consent link is of the form: 
 
-Consent link is of the form: 
+	```
+	https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
+	```
 
-```
-https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
-```
-
-where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+	where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
 
 
-## Get an access token
+- **Done!** You have successfully registered an application! 
+- See examples below for token acquisition and validation.
+
+## Get an access token examples:
 
 For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
 
-### Using C#
+### Using PowerShell 
+
+```
+# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
+# Paste below your Tenant ID, App ID and App Secret (App key).
+ 
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your app ID here
+$appSecret = '' ### Paste your app key here
+ 
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$token = $authResponse.access_token
+Out-File -FilePath "./Latest-token.txt" -InputObject $token
+return $token
+
+```
+
+### Using C#:
 
 >The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
 
@@ -161,9 +186,6 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 	string token = authenticationResult.AccessToken;
 	```
 
-### Using PowerShell 
-
-Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
 
 ### Using Python
 
@@ -177,7 +199,7 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
 - Open a command window
 - ​Set CLIENT_ID to your Azure application ID
 - Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Windows Defender ATP application
 - Run the below command:
 
 ```
@@ -195,7 +217,7 @@ You will get an answer of the form:
 Sanity check to make sure you got a correct token:
 - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
 - Validate you get a 'roles' claim with the desired permissions
-- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Windows Defender ATP's roles:
 
 ![Image of token validation](images/webapp-decoded-token.png)
 
@@ -213,12 +235,11 @@ Sanity check to make sure you got a correct token:
 
 	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
 
-	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
 	// Do something useful with the response
 	```
 
 ## Related topics
-- [Windows Defender ATP APIs](apis-intro.md)
 - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
 - [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md

@@ -19,7 +19,7 @@ ms.date: 09/24/2018
 
 # Windows Defender ATP APIs using PowerShell
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
@@ -48,7 +48,7 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass
 - Run the below
 
 > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP)
 > - $appSecret: Secret of your AAD app
 > - $suspiciousUrl: The URL
 

windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 30/07/2018
 ---
 
 # Supported Windows Defender ATP query APIs 

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -64,7 +64,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -149,7 +148,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -191,7 +189,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -233,7 +230,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -278,5 +274,23 @@ Content-type: application/json
 }
 ```
 
+### Example 7
+
+- Get the count of open alerts for a specific machine:
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+4
+
+```
+
 ## Related topic
 - [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md

@@ -14,14 +14,15 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # File resource type
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-Represent a file entity in WDATP.
+Represent a file entity in Windows Defender ATP.
 
 # Methods
 Method|Return Type |Description
@@ -49,5 +50,5 @@ fileProductName | String | Product name.
 signer | String | File signer.
 issuer | String | File issuer.
 signerHash | String | Hash of the signing certificate.
-isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+isValidCertificate | Boolean | Was signing certificate successfully verified by  Windows Defender ATP agent.
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -102,7 +102,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-			"isAadJoined": true,
 			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         }

windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md

@@ -44,6 +44,11 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D
 **Machine was offboarded**</br>
 If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
 
+
+**Machine is not sending signals**
+If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. 
+
+
 Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
 
 ## Misconfigured machines

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -98,7 +98,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -117,7 +116,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -98,7 +98,6 @@ Content-type: application/json
             "healthStatus": "Active",
             "rbacGroupId": 140,
             "riskScore": "Low",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -116,7 +115,6 @@ Content-type: application/json
             "healthStatus": "Inactive",
 			"rbacGroupId": 140,
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }