| Microsoft Store, Microsoft Store for Business | Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 97ce2a79a5..b34eb9cf48 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -19,12 +19,12 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
-## Check out [what's new in Windows 10, version 1909](/windows/whats-new/whats-new-windows-10-version-1909).
+## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
-
+
What's New?
|
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 98acde2b5e..fe73e90c9e 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -8,7 +8,7 @@
### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 2005 required Windows diagnostic data events and fields](required-windows-diagnostic-data-events-and-fields-2005.md)
+### [Windows 10, version 2004 required Windows diagnostic data events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
### [Windows 10, version 1903 and Windows 10, version 1909 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 302909fefa..71f256d128 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -132,24 +132,24 @@ As seen with recent ransomware attacks, once called the "black plague" of the In
In response to these threats and as a part of your mechanisms to resist these types of breaches so that you remain in compliance with the GDPR, Windows 10 provides built in technology, detailed below including the following:
-- Windows Defender Antivirus to respond to emerging threats on data.
+- Microsoft Defender Antivirus to respond to emerging threats on data.
- Microsoft Edge to systemically disrupt phishing, malware, and hacking attacks.
- Windows Defender Device Guard to block all unwanted applications on client machines.
#### Responding to emerging data threats
-Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware:
+Microsoft Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection.** Helps to detect and block new malware within seconds, even if the malware has never been seen before.
-- **Rich local context.** Improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more.
+- **Rich local context.** Improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more.
-- **Extensive global sensors.** Help to keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
+- **Extensive global sensors.** Help to keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
-- **Tamper proofing.** Helps to guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on.
+- **Tamper proofing.** Helps to guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on.
-- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution.
+- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution.
#### Systemically disrupting phishing, malware, and hacking attacks
In today’s threat landscape, your ability to provide those mechanisms should be tied to the specific data-focused attacks you face through phishing, malware and hacking due to the browser-related attacks.
@@ -204,7 +204,7 @@ Among the key benefits of ATP are the following:
- Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management with no deployment.
-- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Windows Defender Antivirus.
+- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Microsoft Defender Antivirus.
- Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and exploration with Office 365 ATP subscription, to track back and respond to attacks.
@@ -216,7 +216,7 @@ To provide Detection capabilities, Windows 10 improves our OS memory and kernel
We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.
-Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.
+Customers asked us for a single pane of glass across the entire Windows security stack. Microsoft Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.
Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.
@@ -314,7 +314,7 @@ Azure Information Protection also helps your users share sensitive data in a sec
- **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification
-- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10
+- **Microsoft Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10
- **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index d15ec0f74b..ba4a8aff28 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: medgarmedgar
-ms.author: v-medgar
+ms.author: dansimp
manager: robsize
ms.date: 3/25/2020
---
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 4bbec23cef..7d7448f4d5 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -14,7 +14,7 @@ ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 5/14/2020
+ms.date: 6/3/2020
---
# Manage connections from Windows 10 operating system components to Microsoft services
@@ -37,7 +37,9 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
> [!Warning]
-> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
+> - If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
+> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
+> - During update or upgrade of Windows, egress traffic may occur.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
@@ -550,7 +552,7 @@ To disable the Microsoft Account Sign-In Assistant:
### 13. Microsoft Edge
-Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682).
+Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge).
### 13.1 Microsoft Edge Group Policies
@@ -1595,7 +1597,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>1. Ensure Windows and Windows Defender are fully up to date.
>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
-- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
-OR-
@@ -1608,7 +1610,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
You can stop sending file samples back to Microsoft.
-- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**.
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**.
-or-
@@ -1617,11 +1619,11 @@ You can stop sending file samples back to Microsoft.
You can stop downloading **Definition Updates**:
-- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
-- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
+- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
-or-
@@ -1645,7 +1647,7 @@ You can turn off **Enhanced Notifications** as follows:
-or-
-- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Reporting**.
+- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
-or-
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 6367bb1968..e29d853c05 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -398,7 +398,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Windows Defender Antivirus cloud service connections, see [Allow connections to the Windows Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud-service).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
| Source process | Protocol | Destination |
|----------------|----------|------------|
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index ea17373f32..9d9c6e8fe4 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: danihalfin
-ms.author: v-medgar
+ms.author: dansimp
manager: sanashar
ms.collection: M365-security-compliance
ms.topic: article
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2005.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
similarity index 99%
rename from windows/privacy/required-windows-diagnostic-data-events-and-fields-2005.md
rename to windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 1a3297b72c..42ac740880 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2005.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,6 +1,6 @@
---
description: Use this article to learn more about what required Windows diagnostic data is gathered.
-title: Windows 10, version 2005 required diagnostic events and fields (Windows 10)
+title: Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
@@ -17,7 +17,7 @@ ms.date: 03/27/2020
---
-# Windows 10, version 2005 required Windows diagnostic events and fields
+# Windows 10, version 2004 required Windows diagnostic events and fields
> [!IMPORTANT]
@@ -26,7 +26,7 @@ ms.date: 03/27/2020
**Applies to**
-- Windows 10, version 2005
+- Windows 10, version 2004
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@@ -90,7 +90,6 @@ The following fields are available:
- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data.
- **IsBootCritical** Indicates whether the device boot is critical.
-- **SdbEntries** Deprecated in RS3.
- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device.
- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
@@ -103,10 +102,6 @@ This event sends compatibility database data about driver packages to help keep
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-The following fields are available:
-
-- **SdbEntries** Deprecated in RS3.
-
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
@@ -636,7 +631,6 @@ The following fields are available:
- **Categories** A comma separated list of functional categories in which the container belongs.
- **DiscoveryMethod** The discovery method for the device container.
- **FriendlyName** The name of the device container.
-- **Icon** Deprecated in RS3. The path or index to the icon file.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
- **IsMachineContainer** Is the container the root device itself?
diff --git a/windows/privacy/stub.md b/windows/privacy/stub.md
deleted file mode 100644
index 9537f0fa72..0000000000
--- a/windows/privacy/stub.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Stub topic
-description: Use this topic to test localization e2e.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 10/11/2019
-ms.reviewer:
----
-# Stub topic
-
-Applies to:
-- Windows 10, version 1809
-- Windows 10, version 1803
-- Windows 10, version 1709
-- Windows 10, version 1703
-- Windows 10 Team Edition, version 1703 for Surface Hub
-- Windows Server 2019
-- Windows Server 2016
-- Windows Analytics
-
-This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
-
-For more information about the GDPR, see:
-* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
-* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
-* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
-* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
-
-## GDPR fundamentals
-
-Here are some GDPR fundamentals:
-
-* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
-* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees.
-* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
-* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
-
-Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
-
-### What is personal data under the GDPR?
-
-Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
-* Name
-* Email address
-* Credit card numbers
-* IP addresses
-* Social media posts
-* Location information
-* Handwriting patterns
-* Voice input to cloud-based speech services
-
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index 73ccd75c12..ef7ec52739 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -74,7 +74,7 @@ This type of data includes details about the health of the device, operating sys
| Category Name | Description and Examples |
| - | - |
|Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
-|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
+|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
|
|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 85c77ad883..5165ffd9c7 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -289,7 +289,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score
- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
-- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index 2eb42f02b4..887025029f 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -55,7 +55,7 @@ sections:
text: "
| Details | Originating update | Status | History |
| Unable to create local users in Chinese, Japanese and Korean during device setup When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4534321.
Back to top | OS Build 17763.737
September 10, 2019
KB4512578 | Resolved
KB4534321 | Resolved:
January 23, 2020
02:00 PM PT
Opened:
October 29, 2019
05:15 PM PT |
- Microsoft Defender Advanced Threat Protection might stop runningAfter installing the optional non-security update ( KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.
Note Microsoft Windows Defender Antivirus is not affected by this issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.
Back to top | OS Build 17763.832
October 15, 2019
KB4520062 | Resolved
KB4523205 | Resolved:
November 12, 2019
10:00 AM PT
Opened:
October 17, 2019
05:14 PM PT |
+ Microsoft Defender Advanced Threat Protection might stop runningAfter installing the optional non-security update ( KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.
Note Microsoft Microsoft Defender Antivirus is not affected by this issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.
Back to top | OS Build 17763.832
October 15, 2019
KB4520062 | Resolved
KB4523205 | Resolved:
November 12, 2019
10:00 AM PT
Opened:
October 17, 2019
05:14 PM PT |
"
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index 6c12907b28..ae96f09ed1 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
---
+
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
```powershell
-# Script to find out if machine is Device Guard compliant
-# requires driver verifier on system.
+# Script to find out if a machine is Device Guard compliant.
+# The script requires a driver verifier present on the system.
+
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
$path = "C:\DGLogs\"
@@ -36,7 +38,7 @@ $DGVerifySuccess = New-Object System.Text.StringBuilder
$Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers"
-#generated by certutil -encode
+#generated by certutil -encode
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
@@ -114,7 +116,7 @@ function LogAndConsoleSuccess($message)
function LogAndConsoleError($message)
{
- Write-Host $message -foregroundcolor "Red"
+ Write-Host $message -foregroundcolor "Red"
Log $message
}
@@ -132,16 +134,16 @@ function IsExempted([System.IO.FileInfo] $item)
Log $cert.ToString()
return 0
}
-}
+}
function CheckExemption($_ModName)
{
$mod1 = Get-ChildItem $Sys32Path $_ModName
$mod2 = Get-ChildItem $DriverPath $_ModName
if($mod1)
- {
+ {
Log "NonDriver module" + $mod1.FullName
- return IsExempted($mod1)
+ return IsExempted($mod1)
}
elseif($mod2)
{
@@ -184,15 +186,15 @@ function CheckFailedDriver($_ModName, $CIStats)
}
if($Result.Contains("PASS"))
{
- $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
+ $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
}
elseif($FailingStat.Trim().Contains("execute-write"))
{
- $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
+ $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
else
{
- $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
+ $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
Log "Result: " $Result
}
@@ -204,7 +206,7 @@ function ListCIStats($_ModName, $str1)
{
Log "String := " $str1
Log "Warning! CI Stats are missing for " $_ModName
- return
+ return
}
$temp_str1 = $str1.Substring($i1)
$CIStats = $temp_str1.Substring(0).Trim()
@@ -245,7 +247,7 @@ function ListDrivers($str)
}
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
- LogAndConsole $DriverScanCompletedMessage
+ LogAndConsole $DriverScanCompletedMessage
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
{
@@ -254,7 +256,7 @@ function ListDrivers($str)
{
LogAndConsoleError $WarningMessage
}
- else
+ else
{
LogAndConsoleWarning $WarningMessage
}
@@ -321,7 +323,7 @@ function ListSummary()
}
else
{
- LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
+ LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
@@ -336,56 +338,56 @@ function ListSummary()
function Instantiate-Kernel32 {
- try
+ try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
-
+
public static class Kernel32
{
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary(
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
-
+
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(
IntPtr hModule,
string procName);
}
-
+
"@
}
catch
{
- Log $_.Exception.Message
+ Log $_.Exception.Message
LogAndConsole "Instantiate-Kernel32 failed"
}
}
function Instantiate-HSTI {
- try
+ try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
-
+
public static class HstiTest3
{
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
- public static extern int QueryHSTIdetails(
- ref HstiOverallError pHstiOverallError,
+ public static extern int QueryHSTIdetails(
+ ref HstiOverallError pHstiOverallError,
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
ref uint pHstiProviderErrorsCount,
byte[] hstiPlatformSecurityBlob,
ref uint pHstiPlatformSecurityBlobBytes);
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
- public static extern int QueryHSTI(ref bool Pass);
-
+ public static extern int QueryHSTI(ref bool Pass);
+
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct HstiProviderErrorDuple
{
@@ -397,7 +399,7 @@ function Instantiate-HSTI {
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
internal string ErrorString;
}
-
+
[FlagsAttribute]
public enum HstiProviderErrors : int
{
@@ -425,8 +427,8 @@ function Instantiate-HSTI {
BlobVersionMismatch = 0x00000080,
PlatformSecurityVersionMismatch = 0x00000100,
ProviderError = 0x00000200
- }
-
+ }
+
}
"@
@@ -434,9 +436,9 @@ function Instantiate-HSTI {
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
- if ([System.IntPtr]::Size -eq 8)
+ if ([System.IntPtr]::Size -eq 8)
{
- #assuming 64 bit
+ #assuming 64 bit
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
}
@@ -450,7 +452,7 @@ function Instantiate-HSTI {
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
[byte[]]$blob = New-Object byte[] $blobByteSize
- [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
+ [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
$string = $null
$blob | foreach { $string = $string + $_.ToString("X2")+"," }
@@ -479,7 +481,7 @@ function Instantiate-HSTI {
LogAndConsoleError $ErrorMessage
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
}
- else
+ else
{
LogAndConsoleWarning $ErrorMessage
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
@@ -487,9 +489,9 @@ function Instantiate-HSTI {
}
}
- catch
+ catch
{
- LogAndConsoleError $_.Exception.Message
+ LogAndConsoleError $_.Exception.Message
LogAndConsoleError "Instantiate-HSTI failed"
}
}
@@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd)
$CmdOutput = Invoke-Expression $_cmd | Out-String
Log "Output: $CmdOutput"
}
- catch
+ catch
{
Log "Exception while exectuing $_cmd"
- Log $_.Exception.Message
+ Log $_.Exception.Message
}
@@ -676,7 +678,7 @@ function CheckDriverCompat
verifier.exe /flags 0x02000000 /all /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system"
- Log $verifier_state
+ Log $verifier_state
LogAndConsole "Please re-execute this script after reboot...."
if($AutoReboot)
{
@@ -692,7 +694,7 @@ function CheckDriverCompat
else
{
LogAndConsole "Driver verifier already enabled"
- Log $verifier_state
+ Log $verifier_state
ListDrivers($verifier_state.Trim().ToLowerInvariant())
}
}
@@ -700,23 +702,23 @@ function IsDomainController
{
$_isDC = 0
$CompConfig = Get-WmiObject Win32_ComputerSystem
- foreach ($ObjItem in $CompConfig)
+ foreach ($ObjItem in $CompConfig)
{
$Role = $ObjItem.DomainRole
Log "Role=$Role"
- Switch ($Role)
+ Switch ($Role)
{
0 { Log "Standalone Workstation" }
1 { Log "Member Workstation" }
2 { Log "Standalone Server" }
3 { Log "Member Server" }
- 4
+ 4
{
Log "Backup Domain Controller"
$_isDC=1
break
}
- 5
+ 5
{
Log "Primary Domain Controller"
$_isDC=1
@@ -735,7 +737,7 @@ function CheckOSSKU
Log "OSNAME:$osname"
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
$HLKAllowed = @("microsoft windows 10 pro")
- foreach ($SKUent in $SKUarray)
+ foreach ($SKUent in $SKUarray)
{
if($osname.ToString().Contains($SKUent.ToLower()))
{
@@ -762,7 +764,7 @@ function CheckOSSKU
}
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
}
- else
+ else
{
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
@@ -773,14 +775,14 @@ function CheckOSSKU
function CheckOSArchitecture
{
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
- Log $OSArch
- if($OSArch.Contains("64-bit"))
+ Log $OSArch
+ if($OSArch -match ("^64\-?\s?bit"))
{
- LogAndConsoleSuccess "64 bit archictecture"
+ LogAndConsoleSuccess "64 bit architecture"
}
- elseif($OSArch.Contains("32-bit"))
+ elseif($OSArch -match ("^32\-?\s?bit"))
{
- LogAndConsoleError "32 bit archictecture"
+ LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
}
else
@@ -878,7 +880,7 @@ function CheckTPM
function CheckSecureMOR
{
$isSecureMOR = CheckDGFeatures(4)
- Log "isSecureMOR= $isSecureMOR "
+ Log "isSecureMOR= $isSecureMOR "
if($isSecureMOR -eq 1)
{
LogAndConsoleSuccess "Secure MOR is available"
@@ -904,7 +906,7 @@ function CheckSecureMOR
function CheckNXProtection
{
$isNXProtected = CheckDGFeatures(5)
- Log "isNXProtected= $isNXProtected "
+ Log "isNXProtected= $isNXProtected "
if($isNXProtected -eq 1)
{
LogAndConsoleSuccess "NX Protector is available"
@@ -921,7 +923,7 @@ function CheckNXProtection
function CheckSMMProtection
{
$isSMMMitigated = CheckDGFeatures(6)
- Log "isSMMMitigated= $isSMMMitigated "
+ Log "isSMMMitigated= $isSMMMitigated "
if($isSMMMitigated -eq 1)
{
LogAndConsoleSuccess "SMM Mitigation is available"
@@ -938,15 +940,15 @@ function CheckSMMProtection
function CheckHSTI
{
LogAndConsole "Copying HSTITest.dll"
- try
+ try
{
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
}
- catch
+ catch
{
- LogAndConsole $_.Exception.Message
+ LogAndConsole $_.Exception.Message
LogAndConsole "Copying and loading HSTITest.dll failed"
}
@@ -959,7 +961,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
- LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
+ LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
@@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a
}
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
-$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
+$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if(!$TestForAdmin)
{
@@ -1065,7 +1067,7 @@ if($Ready)
{
Log "_CGState: $_CGState"
PrintCGDetails $_CGState
-
+
if($_CGState)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
@@ -1077,28 +1079,28 @@ if($Ready)
}
elseif($DG)
{
- Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
+ Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintHVCIDetails $_HVCIState
- PrintConfigCIDetails $_ConfigCIState
+ PrintConfigCIDetails $_ConfigCIState
if($_ConfigCIState -and $_HVCIState)
{
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
-
+
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
}
else
{
LogAndConsoleWarning "Not all services are running."
-
+
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
}
}
- else
+ else
{
- Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
-
+ Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
+
PrintCGDetails $_CGState
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
@@ -1147,7 +1149,7 @@ if($Enable)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
}
- else
+ else
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
@@ -1158,8 +1160,8 @@ if($Enable)
{
if(!$HVCI -and !$CG)
{
- if(!$SIPolicyPath)
- {
+ if(!$SIPolicyPath)
+ {
Log "Writing Decoded SIPolicy.p7b"
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
@@ -1182,7 +1184,7 @@ if($Enable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
- #Enable/Disable IOMMU seperately
+ #Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@@ -1251,7 +1253,7 @@ if($Disable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
- #Enable/Disable IOMMU seperately
+ #Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@@ -1270,7 +1272,7 @@ if($Disable)
}
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
- #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
+ #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
Log "FreeDrive=$FreeDrive"
@@ -1314,7 +1316,7 @@ if($Capable)
}
$_StepCount = 1
if(!$CG)
- {
+ {
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
$_StepCount++
CheckDriverCompat
@@ -1323,15 +1325,15 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
$_StepCount++
CheckSecureBootState
-
+
if(!$HVCI -and !$DG -and !$CG)
- {
+ {
#check only if sub-options are absent
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
$_StepCount++
CheckHSTI
}
-
+
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
$_StepCount++
CheckOSArchitecture
@@ -1345,11 +1347,11 @@ if($Capable)
CheckVirtualization
if(!$HVCI -and !$DG)
- {
+ {
LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
$_StepCount++
CheckTPM
-
+
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
$_StepCount++
CheckSecureMOR
@@ -1358,11 +1360,11 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
$_StepCount++
CheckNXProtection
-
+
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
$_StepCount++
CheckSMMProtection
-
+
LogAndConsole " ====================== End Check ====================== "
LogAndConsole " ====================== Summary ====================== "
@@ -1371,7 +1373,6 @@ if($Capable)
}
-
# SIG # Begin signature block
## REPLACE
# SIG # End signature block
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index f42095fd31..a51e3b166f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -75,8 +75,9 @@ Sign-in the federation server with domain administrator equivalent credentials.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
+8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.
+9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
+10. Click **Enroll**.
A server authentication certificate should appear in the computer’s Personal certificate store.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 067d2d3504..3fc4c88711 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -150,7 +150,7 @@ Domain controllers automatically request a certificate from the domain controlle
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
-10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
12. Click **OK**. Close the **Group Policy Management Editor**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index ce973a2827..ae11903279 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
6. Sign out of the Microsoft Azure Portal.
+> [!NOTE]
+> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
## Configure Windows Hello for Business Device Enrollment
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index be3bc06968..328c9513bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -19,7 +19,7 @@ ms.reviewer:
# Configure Windows Hello for Business: Active Directory Federation Services
**Applies to**
-- Windows10, version 1703 or later
+- Windows 10, version 1703 or later
- Hybrid deployment
- Certificate trust
@@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
1. Open a **Windows PowerShell** prompt.
-2. Type the following command
+2. Enter the following command:
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
```
-
->[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+ >[!NOTE]
+ > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
### Group Memberships for the AD FS Service Account
@@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Section Review
> [!div class="checklist"]
-> * Configure the registration authority
-> * Update group memberships for the AD FS service account
+> * Configure the registration authority.
+> * Update group memberships for the AD FS service account.
>
>
> [!div class="step-by-step"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 0aa43d1982..7576402a17 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -16,6 +16,7 @@ localizationpriority: medium
ms.date: 10/23/2017
ms.reviewer:
---
+
# Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to**
@@ -26,7 +27,7 @@ ms.reviewer:
## Directory Synchronization
-In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
+In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
@@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
6. In the **Applies to** list box, select **Descendant User objects**.
7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
-9. Click **OK** three times to complete the task.
+9. Click **OK** three times to complete the task.
### Group Memberships for the Azure AD Connect Service Account
-The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
+The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
@@ -62,14 +63,14 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
6. Click **OK** to return to **Active Directory Users and Computers**.
> [!NOTE]
-> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
+> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
### Section Review
> [!div class="checklist"]
> * Configure Permissions for Key Synchronization
> * Configure group membership for Azure AD Connect
->
+>
> [!div class="step-by-step"]
> [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
> [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 20e50b5d3a..0f6cbee626 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
-The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
+The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
@@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
-* The certificate template must have an extension that has the BMP data value "DomainController".
+* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 406d096165..96fc9bd8c2 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -457,7 +457,7 @@ Checking BitLocker status with the control panel is the most common method used
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
-If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
+If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 09d6973301..436ef15fe7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1882,7 +1882,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
->**Warning:** Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+>**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
### Provide the unique identifiers for your organization
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 50032d076f..b7bd91eda3 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -46,12 +46,12 @@
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
-##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
##### [Application isolation]()
-###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
-###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
+###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
+###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
@@ -96,105 +96,105 @@
### [Next-generation protection]()
-#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
+#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
#### [Configure next-generation protection]()
-##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
-###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
-###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Utilize Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
+###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
+###### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
+###### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
+###### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
-###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+###### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
-###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
-###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
+###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
-###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
-###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
-####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
+###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
+####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
###### [Report on antivirus protection]()
-####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
+####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
-####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
-####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
-####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
-###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
##### [Manage antivirus in your business]()
-###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
##### [Manage scans and remediation]()
-###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
-###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
+###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
-###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
-###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
+###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+###### [Use Group Policy settings to manage next generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+###### [Use PowerShell cmdlets to manage next generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+###### [Use the mpcmdrun.exe command line tool to manage next generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
-#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
### [Microsoft Defender Advanced Threat Protection for Mac]()
@@ -284,7 +284,7 @@
###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
@@ -632,7 +632,7 @@
##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
-#### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
+#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 74a43afb5e..d6788c3add 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -26,7 +26,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
+ - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
@@ -111,7 +111,7 @@ For example:
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
1. Enable **Prevent installation of devices that match any of these device IDs**.
-2. Enable **Prevent installation of devices that match these device setup classes**.
+2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
> [!Note]
> The prevent device installation policies take precedence over the allow device installation policies.
@@ -145,6 +145,14 @@ Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
```
+The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing.
+
+To prevent installation of particular classes of devices:
+
+1. Find the GUID of the device setup class from [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+2. Enable **Prevent installation of devices using drivers that match these device setup classes** and add the class GUID to the list.
+
+
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
@@ -226,22 +234,22 @@ For more information about controlling USB devices, see the [Microsoft Defender
| Control | Description |
|----------|-------------|
-| [Enable Windows Defender Antivirus Scanning](#enable-windows-defender-antivirus-scanning) | Enable Windows Defender Antivirus scanning for real-time protection or scheduled scans.|
+| [Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning) | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.|
| [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. |
| [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. |
>[!NOTE]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
-### Enable Windows Defender Antivirus Scanning
+### Enable Microsoft Defender Antivirus Scanning
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
+Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) or scheduling scans and configuring removable drives for scans.
-- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
+- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
>[!NOTE]
->We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
+>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**.
@@ -255,7 +263,7 @@ This can be done by setting **Untrusted and unsigned processes that run from USB
With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
@@ -324,7 +332,7 @@ For example, using either approach, you can automatically have the Microsoft Def
## Related topics
-- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
+- [Configure real-time protection for Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png
new file mode 100644
index 0000000000..043da38016
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 71fca8b044..7a0b4059d1 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -77,14 +77,14 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
+**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
-- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus)
-- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
-- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
-- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
+- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
+- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus)
+- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
+- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 572d4cf705..74c19eb50f 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -159,11 +159,11 @@ Advertisements shown to you must:
#### Consumer opinion
-Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
+Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions.
## Potentially unwanted application (PUA)
-Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Windows Defender Antivirus, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
+Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md).
*PUAs are not considered malware.*
@@ -175,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft
* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
-* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
+* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index 3e680879b5..c6973ab9e1 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You
## Why is the Windows Firewall blocking my program?
-This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
-This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 35aec2bd9c..b413cea906 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -40,4 +40,4 @@ Find more guidance about the file submission and detection dispute process in ou
### Scan your software
-Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
+Use [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 2a52b19798..001d356c59 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -1,7 +1,7 @@
---
title: Malware names
ms.reviewer:
-description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware.
+description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware.
keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name
ms.prod: w10
ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index ffe4254e2b..ad80fad7fe 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -55,7 +55,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
-[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
+[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index f6b12d45e0..96e45bc39b 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -34,7 +34,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
-- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
+- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
## System requirements
@@ -53,7 +53,7 @@ For more information about the Safety Scanner, see the support article on [how t
## Related resources
- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
-- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
+- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 35942059ca..8544b43d61 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -45,13 +45,13 @@ It is also important to keep the following in mind:
* Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
-* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
+* Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
## What to do if information has been given to a tech support person
* Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device
-* Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.
+* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.
* Change passwords.
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index c9f64fecd6..2ed753b049 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -40,7 +40,7 @@ Trojans can come in many different varieties, but generally they do the followin
Use the following free Microsoft software to detect and remove it:
-- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
+- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
- [Microsoft Safety Scanner](safety-scanner-download.md)
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index fdf1e1e4bf..ab2471f894 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -43,7 +43,7 @@ To prevent unwanted software infection, download software only from official web
Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer).
-Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 6b392dcc81..04c8f8280f 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -44,7 +44,7 @@ This image shows how a worm can quickly spread through a shared USB drive.
## How to protect against worms
-Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
similarity index 62%
rename from windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index 9b7b2cffbf..e9fd6a400e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -1,7 +1,7 @@
---
-title: What to do with false positives/negatives in Windows Defender Antivirus
-description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do.
-keywords: Windows Defender Antivirus, false positives, false negatives, exclusions
+title: What to do with false positives/negatives in Microsoft Defender Antivirus
+description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
+keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -12,43 +12,43 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 02/05/2020
+ms.date: 06/08/2020
ms.reviewer: shwetaj
manager: dansimp
audience: ITPro
ms.topic: article
---
-# What to do with false positives/negatives in Windows Defender Antivirus
+# What to do with false positives/negatives in Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web.
+Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can:
-- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis);
-- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or
-- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus.
+What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
+- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
+- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
+- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
## Submit a file to Microsoft for analysis
1. Review the [submission guidelines](../intelligence/submission-guide.md).
-2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
+2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
> [!TIP]
> We recommend signing in at the submission portal so you can track the results of your submissions.
## Create an "Allow" indicator to prevent a false positive from recurring
-If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe.
+If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe.
To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
## Define an exclusion on an individual Windows device to prevent an item from being scanned
-When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item.
+When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
1. On your Windows 10 device, open the Windows Security app.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@@ -59,14 +59,14 @@ The following table summarizes exclusion types, how they're defined, and what ha
|Exclusion type |Defined by |What happens |
|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. |
+|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. |
+|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
+|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
+|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus)
+To learn more, see:
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
+- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
## Related articles
diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 1cae26190b..532462188a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -1,6 +1,6 @@
---
-title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus
-description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in
+title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus
+description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -25,7 +25,7 @@ manager: dansimp
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
-Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
+Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
@@ -52,7 +52,7 @@ On at least two devices that are not reporting or showing up in Update Complianc
6. Send an email using the Update Compliance support email template, and fill out the template with the following information:
```
- I am encountering the following issue when using Windows Defender Antivirus in Update Compliance:
+ I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
I have provided at least 2 support .cab files at the following location:
@@ -63,5 +63,5 @@ On at least two devices that are not reporting or showing up in Update Complianc
## See also
-- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md)
+- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
new file mode 100644
index 0000000000..708ec3f869
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -0,0 +1,95 @@
+---
+title: Collect diagnostic data of Microsoft Defender Antivirus
+description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 06/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Collect Windows Defender AV diagnostic data
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV.
+
+On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
+
+1. Open an administrator-level version of the command prompt as follows:
+
+ a. Open the **Start** menu.
+
+ b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
+
+ c. Enter administrator credentials or approve the prompt.
+
+2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
+
+> [!NOTE]
+> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
+
+3. Type the following command, and then press **Enter**
+
+ ```Dos
+ mpcmdrun.exe -GetFiles
+ ```
+
+4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
+
+> [!NOTE]
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+
+5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
+
+> [!NOTE]
+>If you have a problem with Update compliance, send an email using the Update Compliance support email template, and fill out the template with the following information:
+>```
+> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
+> I have provided at least 2 support .cab files at the following location:
+>
+>
+> My OMS workspace ID is:
+>
+> Please contact me at:
+
+## Redirect diagnostic data to a UNC share
+To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
+
+```Dos
+mpcmdrun.exe -GetFiles -SupportLogLocation
+```
+
+Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
+
+When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
+
+```Dos
+\\MpSupport--.cab
+```
+
+| field | Description |
+|:----|:----|
+| path | The path as specified on the commandline or retrieved from configuration
+| MMDD | Month Day when the diagnostic data was collected (eg 0530)
+| hostname | the hostname of the device on which the diagnostic data was collected.
+| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
+
+> [!NOTE]
+> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
+
+## See also
+
+- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 0483497ae8..cf81f65145 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Use the command line to manage Windows Defender Antivirus
-description: Run Windows Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
+title: Use the command line to manage Microsoft Defender Antivirus
+description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,13 +16,13 @@ ms.reviewer: ksarens
manager: dansimp
---
-# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
+# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
+You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -36,7 +36,7 @@ MpCmdRun.exe [command] [-options]
```
Here's an example:
```
-MpCmdRun.exe -scan -2
+MpCmdRun.exe -Scan -ScanType 2
```
| Command | Description |
@@ -44,7 +44,7 @@ MpCmdRun.exe -scan -2
| `-?` **or** `-h` | Displays all available options for this tool |
| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy |
| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
-| `-GetFiles` | Collects support information |
+| `-GetFiles [-SupportLogLocation ]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' |
| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
@@ -58,5 +58,5 @@ MpCmdRun.exe -scan -2
## Related topics
-- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..a48b41622f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -0,0 +1,45 @@
+---
+title: Manage Windows Defender in your business
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV
+keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Manage Microsoft Defender Antivirus in your business
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can manage and configure Microsoft Defender Antivirus with the following tools:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets
+- Windows Management Instrumentation (WMI)
+- The mpcmdrun.exe utility
+
+The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
+
+## In this section
+
+Article | Description
+---|---
+[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus
+[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
+[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
+[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
+[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 14125ae30d..e2bba2fe2b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -17,7 +17,7 @@ manager: dansimp
---
-# Configure Windows Defender Antivirus scanning options
+# Configure Microsoft Defender Antivirus scanning options
**Applies to:**
@@ -25,7 +25,7 @@ manager: dansimp
**Use Microsoft Intune to configure scanning options**
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
@@ -41,7 +41,7 @@ To configure the Group Policy settings described in the following table:
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
@@ -50,7 +50,7 @@ Description | Location and setting | Default setting (if not configured) | Power
Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
Scan packed executables | Scan > Scan packed executables | Enabled | Not available
Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
@@ -64,7 +64,7 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
## Use PowerShell to configure scanning options
-See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use WMI to configure scanning options
@@ -80,14 +80,14 @@ Email scanning enables scanning of email files used by Outlook and other mail c
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
-If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
+If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject
- Attachment name
## Related topics
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
-- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index d74cf4da9a..3906d071de 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -24,33 +24,33 @@ ms.custom: nextgen
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
-You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
+You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
>[!TIP]
>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
## How it works
-When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
+When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
-Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
-If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
+If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
## Confirm and validate that block at first sight is enabled
-Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments.
+Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
### Confirm block at first sight is enabled with Intune
-1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**.
+1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
@@ -65,11 +65,11 @@ Block at first sight requires a number of settings to be configured correctly or
> [!WARNING]
- > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus).
+ > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
-For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus).
+For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
### Enable block at first sight with Microsoft Endpoint Configuration Manager
@@ -100,7 +100,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
- Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
@@ -109,7 +109,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
> [!WARNING]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
-4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**:
+4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**:
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
@@ -152,7 +152,7 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
### Validate block at first sight is working
-You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Disable block at first sight
@@ -167,7 +167,7 @@ You may choose to disable block at first sight if you want to retain the prerequ
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**.
+3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
@@ -176,5 +176,5 @@ You may choose to disable block at first sight if you want to retain the prerequ
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
similarity index 54%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 1b9c177447..6fb6d97688 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Configure the Windows Defender AV cloud block timeout period
-description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination.
-keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
+description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -24,13 +24,13 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
+When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service.
+The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
## Prerequisites to use the extended cloud block timeout
-[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
+[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
## Specify the extended timeout period
@@ -40,7 +40,7 @@ You can use Group Policy to specify an extended timeout for cloud checks.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**
4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
@@ -48,7 +48,7 @@ You can use Group Policy to specify an extended timeout for cloud checks.
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
similarity index 54%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index 47161748b2..13346bae2f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -17,20 +17,20 @@ ms.reviewer:
manager: dansimp
---
-# Configure end-user interaction with Windows Defender Antivirus
+# Configure end-user interaction with Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
+You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
-This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
+This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
## In this section
Topic | Description
---|---
-[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
-[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
-[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
+[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
+[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
+[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..6407947fe2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -0,0 +1,37 @@
+---
+title: Set up exclusions for Windows Defender AV scans
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 03/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Configure and validate exclusions for Microsoft Defender Antivirus scans
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
+
+>[!WARNING]
+>Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
+
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+
+## Related articles
+
+[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index bc096eac9e..e7fbc46e41 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure and validate exclusions based on extension, name, or location
-description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
+description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -23,11 +23,11 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!IMPORTANT]
-> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
## Exclusion lists
-You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
@@ -43,28 +43,28 @@ A specific process | The executable file `c:\test\process.exe` | File and folder
Exclusion lists have the following characteristics:
-- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
-- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
+- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
+- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
->The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
+>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
->Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
+>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
-To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md).
+To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md).
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
>[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
+By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions based on folder name or file extension
@@ -72,7 +72,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
See the following articles:
- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure)
-- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus)
+- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
### Use Configuration Manager to configure file name, folder, or file extension exclusions
@@ -87,14 +87,14 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- - Set the option to **Enabled**.
+ - Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- - Specify each folder on its own line under the **Value name** column.
- - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
+ - Specify each folder on its own line under the **Value name** column.
+ - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
@@ -146,7 +146,7 @@ For example, the following code snippet would cause Windows Defender AV scans to
Add-MpPreference -ExclusionExtension ".test"
```
-For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
@@ -165,7 +165,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c
### Use the Windows Security app to configure file name, folder, or file extension exclusions
-See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions.
@@ -178,14 +178,14 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
->- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
+>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
-|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
+|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
@@ -206,30 +206,30 @@ You can retrieve the items in the exclusion list using one of the following meth
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
- MpCmdRun
- PowerShell
-- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
+- [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions)
>[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
-- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
```
>[!NOTE]
->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
+>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
+### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -241,7 +241,7 @@ In the following example, the items contained in the `ExclusionExtension` list a
-For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Retrieve a specific exclusions list by using PowerShell
@@ -257,7 +257,7 @@ In the following example, the list is split into new lines for each use of the `
-For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
@@ -271,7 +271,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
-If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
+If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
@@ -290,6 +290,6 @@ You can also copy the string into a blank text file and attempt to save it with
## Related topics
-- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
similarity index 63%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 59f19f11c9..a7871d1232 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -17,21 +17,21 @@ ms.reviewer:
manager: dansimp
---
-# Prevent or allow users to locally modify Windows Defender Antivirus policy settings
+# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
+By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
-## Configure local overrides for Windows Defender Antivirus settings
+## Configure local overrides for Microsoft Defender Antivirus settings
The default setting for these policies is **Disabled**.
-If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
@@ -41,7 +41,7 @@ To configure these settings:
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
@@ -49,25 +49,25 @@ To configure these settings:
Location | Setting | Article
---|---|---|---
-MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
## Configure how locally and globally defined threat remediation and exclusions lists are merged
-You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
+You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
@@ -79,7 +79,7 @@ You can disable this setting to ensure that only globally-defined lists (such as
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
@@ -88,5 +88,5 @@ You can disable this setting to ensure that only globally-defined lists (such as
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
new file mode 100644
index 0000000000..3f6f29e47b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -0,0 +1,49 @@
+---
+title: Configure Microsoft Defender Antivirus features
+description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Configure Microsoft Defender Antivirus features
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can configure Microsoft Defender Antivirus with a number of tools, including:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets
+- Windows Management Instrumentation (WMI)
+
+The following broad categories of features can be configured:
+
+- Cloud-delivered protection
+- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
+- How end-users interact with the client on individual endpoints
+
+The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
+
+You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
+
+## In this section
+Topic | Description
+:---|:---
+[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
+[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
+[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index 69f56da605..2992128fc2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Configure and validate Windows Defender Antivirus network connections
-description: Configure and test your connection to the Windows Defender Antivirus cloud protection service.
-keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+title: Configure and validate Microsoft Defender Antivirus network connections
+description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
+keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Configure and validate Windows Defender Antivirus network connections
+# Configure and validate Microsoft Defender Antivirus network connections
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
+To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
@@ -36,14 +36,14 @@ See the blog post [Important changes to Microsoft Active Protection Services end
>- Fast learning (including block at first sight)
>- Potentially unwanted application blocking
-## Allow connections to the Windows Defender Antivirus cloud service
+## Allow connections to the Microsoft Defender Antivirus cloud service
-The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
@@ -52,21 +52,21 @@ Because your protection is a cloud service, computers must have access to the in
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
-| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
+| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`|
-|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
+|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` |
-| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
+| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
-After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
+After whitelisting the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
-Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
+Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
```DOS
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
@@ -75,11 +75,11 @@ Use the following argument with the Windows Defender Antivirus command-line util
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
-For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md).
+For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
**Attempt to download a fake malware file from Microsoft:**
-You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
+You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- https://aka.ms/ioavtest
@@ -87,9 +87,9 @@ Download the file by visiting the following link:
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
-If you are properly connected, you will see a warning Windows Defender Antivirus notification:
+If you are properly connected, you will see a warning Microsoft Defender Antivirus notification:
-
+
If you are using Microsoft Edge, you'll also see a notification message:
@@ -97,7 +97,7 @@ If you are using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you are using Internet Explorer:
-
+
You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
@@ -112,19 +112,19 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
>[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md).
+>Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
-The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
+The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
## Related articles
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index ef9bf3607a..57a0ea6f0e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Configure Windows Defender Antivirus notifications
-description: Configure and customize Windows Defender Antivirus notifications.
+title: Configure Microsoft Defender Antivirus notifications
+description: Configure and customize Microsoft Defender Antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -31,7 +31,7 @@ You can also configure how standard notifications appear on endpoints, such as n
## Configure the additional notifications that appear on endpoints
-You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy.
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy.
> [!NOTE]
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
@@ -59,7 +59,7 @@ You can configure the display of additional notifications, such as recent threat
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**.
5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
@@ -71,7 +71,7 @@ You can use Group Policy to:
- Hide all notifications on endpoints
- Hide reboot notifications on endpoints
-Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
+Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
@@ -84,7 +84,7 @@ See [Customize the Windows Security app for your organization](../windows-defend
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
@@ -96,11 +96,11 @@ See [Customize the Windows Security app for your organization](../windows-defend
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index 1b19f98ccd..7b14f8eda8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
-keywords: Windows Defender Antivirus, process, exclusion, files, scans
+keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -22,7 +22,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
+You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
@@ -34,11 +34,11 @@ Any file on the machine that is opened by any process with a specific file name
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:- c:\test\sample\test.exe
- c:\test\sample\test2.exe
- c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
-When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
+When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
-The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
+The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
-Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
+Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
@@ -46,7 +46,7 @@ You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
@@ -54,7 +54,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans
@@ -66,7 +66,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
4. Double-click **Process Exclusions** and add the exclusions:
@@ -107,7 +107,7 @@ For example, the following code snippet would cause Windows Defender AV scans to
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
-See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
@@ -127,7 +127,7 @@ See the following for more information and allowed parameters:
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
-See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions.
@@ -149,26 +149,26 @@ Environment variables | The defined variable will be populated as a path when th
## Review the list of exclusions
-You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
-- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
```
>[!NOTE]
->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
+>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
+### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -176,7 +176,7 @@ Use the following cmdlet:
Get-MpPreference
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Retrieve a specific exclusions list by using PowerShell
@@ -187,12 +187,12 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Related articles
-- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
similarity index 52%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 8e6f966e08..e09172a74b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Enable and configure Windows Defender Antivirus protection features
+title: Enable and configure Microsoft Defender Antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
-keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
+keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -23,21 +23,21 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus uses several methods to provide threat protection:
+Microsoft Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
-You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
-See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection.
+See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection.
## In this section
Topic | Description
---|---
-[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features
+[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
+[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 5d08760627..a456334e1f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Enable and configure Windows Defender Antivirus protection capabilities
-description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
+title: Enable and configure Microsoft Defender Antivirus protection capabilities
+description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,7 +17,7 @@ manager: dansimp
ms.custom: nextgen
---
-# Enable and configure Windows Defender Antivirus always-on protection in Group Policy
+# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
**Applies to:**
@@ -29,7 +29,7 @@ These activities include events, such as processes making unusual changes to exi
## Enable and configure always-on protection in Group Policy
-You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings.
+You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings.
To enable and configure always-on protection:
@@ -37,29 +37,29 @@ To enable and configure always-on protection:
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
-2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**.
-
-3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this:
- 1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+
+3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this:
+ 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
- | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
- | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
+ | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+ | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
2. Configure the setting as appropriate, and click **OK**.
3. Repeat the previous steps for each setting in the table.
-4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this:
- 1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**.
- 
+4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this:
+ 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**.
+ 
2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
| Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
- | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
+ | Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
| Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
| Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
| Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
@@ -73,15 +73,15 @@ To enable and configure always-on protection:
3. Configure the setting as appropriate, and click **OK**.
4. Repeat the previous steps for each setting in the table.
-5. Configure the Windows Defender Antivirus scanning policy setting. To do this:
- 1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**.
- 
+5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this:
+ 1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**.
+ 
2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
- | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled |
+ | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled |
3. Configure the setting as appropriate, and click **OK**.
6. Close **Local Group Policy Editor**.
@@ -98,7 +98,7 @@ To disable real-time protection in Group policy:
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
-2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**.
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
@@ -110,5 +110,5 @@ To disable real-time protection in Group policy:
## Related articles
-- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..f8ac6071ef
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -0,0 +1,72 @@
+---
+title: Remediate and resolve infections detected by Microsoft Defender Antivirus
+description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+keywords: remediation, fix, remove, threats, quarantine, scan, restore
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Configure remediation for Microsoft Defender Antivirus scans
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
+
+This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+
+You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings.
+
+## Configure remediation options
+
+You can configure how remediation works with the Group Policy settings described in this section.
+
+To configure these settings:
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
+Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
+Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
+Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
+Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
+Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
+>
+> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
+>
+> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
+
+Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
+
+## Related topics
+
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
similarity index 85%
rename from windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index 78f6412fd9..66adf9c4d6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019
+title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019
ms.reviewer:
manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
-keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
+keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -16,20 +16,20 @@ ms.author: deniseb
ms.custom: nextgen
---
-# Configure Windows Defender Antivirus exclusions on Windows Server
+# Configure Microsoft Defender Antivirus exclusions on Windows Server
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
## A few points to keep in mind
@@ -39,7 +39,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c
- Custom and duplicate exclusions do not conflict with automatic exclusions.
-- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
@@ -48,7 +48,7 @@ In Windows Server 2016 and 2019, the predefined exclusions delivered by Security
> [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
-Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
@@ -58,7 +58,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
@@ -70,9 +70,9 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true
```
-[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md).
+[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
-[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
+[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
@@ -168,7 +168,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
+ > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
@@ -400,12 +400,12 @@ This section lists the folder exclusions that are delivered automatically when y
## Related articles
-- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..0a108f47da
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -0,0 +1,37 @@
+---
+title: Run and customize scheduled and on-demand scans
+description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
+
+## In this section
+
+Topic | Description
+---|---
+[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
new file mode 100644
index 0000000000..0a108f47da
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -0,0 +1,37 @@
+---
+title: Run and customize scheduled and on-demand scans
+description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
+
+## In this section
+
+Topic | Description
+---|---
+[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
similarity index 62%
rename from windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index faaa2c10dd..b9406da6f4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Deploy, manage, and report on Windows Defender Antivirus
-description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
-keywords: deploy, manage, update, protection, windows defender antivirus
+title: Deploy, manage, and report on Microsoft Defender Antivirus
+description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
+keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -17,40 +17,40 @@ ms.reviewer:
manager: dansimp
---
-# Deploy, manage, and report on Windows Defender Antivirus
+# Deploy, manage, and report on Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
+You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
-Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
+Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
-- Managing Windows Defender Antivirus protection, including managing product and protection updates
-- Reporting on Windows Defender Antivirus protection
+- Managing Microsoft Defender Antivirus protection, including managing product and protection updates
+- Reporting on Microsoft Defender Antivirus protection
> [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus.
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management)
Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
-Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
+Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
-2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
+2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
-3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
+3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
[Endpoint Protection point site system role]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-site-role
[default and customized antimalware policies]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies
@@ -70,16 +70,16 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature
[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index
-[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md
-[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md
+[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md
+[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md
[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx
[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
-[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
+[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md
## In this section
Topic | Description
---|---
-[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
-[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
+[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
+[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..6e0bb71ecc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -0,0 +1,38 @@
+---
+title: Deploy and enable Microsoft Defender Antivirus
+description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
+keywords: deploy, enable, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 09/03/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Deploy and enable Microsoft Defender Antivirus
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.
+
+See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
+
+Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
+
+The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
similarity index 88%
rename from windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index ad266974fa..096a6816cb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide
-description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
+title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide
+description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
+In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
@@ -41,7 +41,7 @@ This guide describes how to configure your VMs for optimal protection and perfor
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
- [Apply exclusions](#exclusions)
-You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
> [!IMPORTANT]
> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
@@ -116,7 +116,7 @@ The profile will now be deployed to the impacted devices. This may take some tim
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
@@ -192,11 +192,11 @@ If you would prefer to do everything manually, this what you would need to do to
### Randomize scheduled scans
-Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
+Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
-See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
### Use quick scans
@@ -211,7 +211,7 @@ Quick scans are the preferred approach as they are designed to look in all place
### Prevent notifications
-Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
+Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface.
1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
@@ -257,7 +257,7 @@ This hides the entire Windows Defender AV user interface from users.
### Exclusions
-On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus).
+On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus).
## Additional resources
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 7c0db7f78f..3345190e01 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Block potentially unwanted applications with Windows Defender Antivirus
+title: Block potentially unwanted applications with Microsoft Defender Antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
-keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus
+keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -64,20 +64,20 @@ Defender SmartScreen available, including [one for blocking PUA](https://docs.mi
Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
-### Windows Defender Antivirus
+### Microsoft Defender Antivirus
-The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.
> [!NOTE]
> This feature is only available in Windows 10.
-Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
+Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
-When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
+When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
-The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
+The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
-#### Configure PUA protection in Windows Defender Antivirus
+#### Configure PUA protection in Microsoft Defender Antivirus
You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets.
@@ -90,7 +90,7 @@ PUA audit mode is useful if your company is conducting an internal software secu
##### Use Intune to configure PUA protection
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
##### Use Configuration Manager to configure PUA protection
@@ -101,7 +101,7 @@ See [How to create and deploy antimalware policies: Scheduled scans settings](ht
For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
> [!NOTE]
-> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
+> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
##### Use Group Policy to configure PUA protection
@@ -109,7 +109,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
4. Double-click **Configure protection for potentially unwanted applications**.
@@ -142,7 +142,7 @@ Set-MpPreference -PUAProtection disable
```
Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
#### View PUA events
@@ -150,13 +150,13 @@ PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoi
You can turn on email notifications to receive mail about PUA detections.
-See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**.
+See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
#### Allow-listing apps
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus.
## Related articles
-- [Next-generation protection](windows-defender-antivirus-in-windows-10.md)
-- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 8c14c01d58..69f126b8f8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Enable cloud-delivered protection in Windows Defender Antivirus
+title: Enable cloud-delivered protection in Microsoft Defender Antivirus
description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
-keywords: windows defender antivirus, antimalware, security, cloud, block at first sight
+keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -23,16 +23,16 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
-> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
-See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
+See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
-There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
+There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details.
> [!NOTE]
> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
@@ -42,7 +42,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
+4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
@@ -54,9 +54,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca
> The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
+ > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
-8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
@@ -72,7 +72,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
3. Select **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
@@ -85,7 +85,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
> The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
+ > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
7. Click **OK**.
@@ -98,13 +98,13 @@ Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
>[!NOTE]
> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
>[!WARNING]
-> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
+> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
@@ -137,11 +137,11 @@ See the following for more information and allowed parameters:
## Related topics
-- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
-- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
similarity index 62%
rename from windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index 6173192baf..1c2dec92b5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Evaluate Windows Defender Antivirus
-description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
-keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
+title: Evaluate Microsoft Defender Antivirus
+description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
+keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Evaluate Windows Defender Antivirus
+# Evaluate Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
+Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
>[!TIP]
>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
@@ -31,7 +31,7 @@ Use this guide to determine how well Windows Defender Antivirus protects you fro
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
-It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
@@ -44,11 +44,11 @@ You can also download a PowerShell that will enable all the settings described i
- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings)
> [!IMPORTANT]
-> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
+> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
>
-> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md).
+> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md).
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
similarity index 51%
rename from windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 8285dbdc5e..8e83b95ad4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Enable the limited periodic Windows Defender Antivirus scanning feature
-description: Limited periodic scanning lets you use Windows Defender Antivirus in addition to your other installed AV providers
+title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
+description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -19,7 +19,7 @@ manager: dansimp
-# Use limited periodic scanning in Windows Defender Antivirus
+# Use limited periodic scanning in Microsoft Defender Antivirus
**Applies to:**
@@ -27,31 +27,31 @@ manager: dansimp
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
-It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md).
+It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
-By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
+By default, Microsoft Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
-If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device:
+If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device:
-If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
+If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
-Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
+Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
-
+
## Related articles
-- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
similarity index 71%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index 20d523d368..6f5db8d1e5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Apply Windows Defender Antivirus updates after certain events
-description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
+title: Apply Microsoft Defender Antivirus updates after certain events
+description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -23,11 +23,11 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
## Check for protection updates before running a scan
-You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
+You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.
### Use Configuration Manager to check for protection updates before running a scan
@@ -47,7 +47,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
@@ -61,7 +61,7 @@ Use the following cmdlets:
Set-MpPreference -CheckForSignaturesBeforeRunningScan
```
-For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index).
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index).
### Use Windows Management Instruction (WMI) to check for protection updates before running a scan
@@ -75,7 +75,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c
## Check for protection updates on startup
-You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started.
+You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -83,15 +83,15 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
6. Click **OK**.
-You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running.
+You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running.
-### Use Group Policy to download updates when Windows Defender Antivirus is not present
+### Use Group Policy to download updates when Microsoft Defender Antivirus is not present
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -99,13 +99,13 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
-### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present
+### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present
Use the following cmdlets:
@@ -113,9 +113,9 @@ Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
```
-For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present
+### Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present
Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
@@ -141,7 +141,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
@@ -152,9 +152,9 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
## Related articles
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 9a6e186de0..6d5ec2c418 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -17,21 +17,21 @@ ms.reviewer:
manager: dansimp
---
-# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date
+# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
+Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
-When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan.
+When the user returns to work and logs on to their PC, Microsoft Defender Antivirus will immediately check and download the latest protection updates, and run a scan.
## Set up catch-up protection updates for endpoints that haven't updated for a while
-If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
+If Microsoft Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-microsoft-defender-antivirus.md).
### Use Configuration Manager to configure catch-up protection updates
@@ -40,7 +40,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
2. Go to the **Security intelligence updates** section and configure the following settings:
1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
- 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+ 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order).
3. Click **OK**.
@@ -54,7 +54,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates**.
5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
@@ -68,7 +68,7 @@ Use the following cmdlets:
Set-MpPreference -SignatureUpdateCatchupInterval
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Use Windows Management Instruction (WMI) to configure catch-up protection updates
@@ -84,7 +84,7 @@ See the following for more information and allowed parameters:
## Set the number of days before protection is reported as out-of-date
-You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
+You can also specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
### Use Group Policy to specify the number of days before protection is considered out-of-date
@@ -94,7 +94,7 @@ You can also specify the number of days after which Windows Defender Antivirus p
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware Security intelligence to be out-of-date.
@@ -107,11 +107,11 @@ You can also specify the number of days after which Windows Defender Antivirus p
## Set up catch-up scans for endpoints that have not been scanned for a while
-You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan.
+You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan.
The process for enabling this feature is:
-1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic).
+1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
@@ -127,12 +127,12 @@ This feature can be enabled for both full and quick scans.
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings:
1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**.
3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**.
- 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**.
+ 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**.
> [!NOTE]
> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
@@ -147,7 +147,7 @@ Set-MpPreference -DisableCatchupQuickScan
```
-See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Use Windows Management Instruction (WMI) to configure catch-up scans
@@ -174,9 +174,9 @@ See the following for more information and allowed parameters:
## Related articles
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index c67fd41aa8..5ba75a3387 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Schedule Windows Defender Antivirus protection updates
+title: Schedule Microsoft Defender Antivirus protection updates
description: Schedule the day, time, and interval for when protection updates should be downloaded
keywords: updates, security baselines, schedule updates
search.product: eADQiWindows 10XVcnh
@@ -24,7 +24,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus lets you determine when it should look for and download updates.
+Microsoft Defender Antivirus lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
@@ -32,7 +32,7 @@ You can schedule updates for your endpoints by:
- Specifying the interval to check for protection updates
- Specifying the time to check for protection updates
-You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
+You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic for more information.
## Use Configuration Manager to schedule protection updates
@@ -51,7 +51,7 @@ You can also randomize the times when each endpoint checks and downloads protect
## Use Group Policy to schedule protection updates
> [!IMPORTANT]
-> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
+> By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -59,7 +59,7 @@ You can also randomize the times when each endpoint checks and downloads protect
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
@@ -76,7 +76,7 @@ Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use Windows Management Instruction (WMI) to schedule protection updates
@@ -94,12 +94,12 @@ See the following for more information and allowed parameters:
## Related articles
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
similarity index 72%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index a487d96a32..d3a6243859 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Manage how and where Windows Defender AV receives updates
-description: Manage the fallback order for how Windows Defender Antivirus receives protection updates.
+description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,7 +16,7 @@ manager: dansimp
ms.custom: nextgen
---
-# Manage the sources for Windows Defender Antivirus protection updates
+# Manage the sources for Microsoft Defender Antivirus protection updates
**Applies to:**
@@ -25,11 +25,11 @@ ms.custom: nextgen
-Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Windows Defender Antivirus:
+Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus:
- *Where* the updates are downloaded from; and
- *When* updates are downloaded and applied.
-This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
+This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
> [!IMPORTANT]
> Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
@@ -53,13 +53,13 @@ There are five locations where you can specify where an endpoint should obtain u
- [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
- [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview)
-- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT]
> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
-> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
+> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
@@ -68,9 +68,9 @@ Each source has typical scenarios that depend on how your network is configured,
|---|---|
|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
-|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
+|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.|
-|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
+|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
@@ -104,8 +104,8 @@ The procedures in this article first describe how to set the order, and then how
6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
> [!NOTE]
-> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Windows Defender Antivirus > Signature Updates**
-> For Windows 10, version 1903, the policy path is **Windows Components > Windows Defender Antivirus > Security Intelligence Updates**
+> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
+> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
## Use Configuration Manager to manage the update location
@@ -123,7 +123,7 @@ Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\
See the following articles for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
-- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
- [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index)
## Use Windows Management Instruction (WMI) to manage the update location
@@ -144,19 +144,19 @@ See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.
## What if we're using a third-party vendor?
-This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks.
+This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
-For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates.
+For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) to deploy patches and updates.
> [!NOTE]
-> Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
+> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
## Related articles
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 5fdfa55aa4..f619b37fca 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows Defender Antivirus updates and apply baselines
-description: Manage how Windows Defender Antivirus receives protection and product updates.
+title: Manage Microsoft Defender Antivirus updates and apply baselines
+description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -16,35 +16,35 @@ ms.reviewer:
manager: dansimp
---
-# Manage Windows Defender Antivirus updates and apply baselines
+# Manage Microsoft Defender Antivirus updates and apply baselines
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-There are two types of updates related to keeping Windows Defender Antivirus up to date:
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- Security intelligence updates
- Product updates
> [!IMPORTANT]
-> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
-> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility).
+> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
## Security intelligence updates
-Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the security intelligence updates and are released on a monthly cadence.
## Product updates
-Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
-For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
@@ -58,11 +58,32 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
+
+ May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)
+
+ Security intelligence update version: **1.317.20.0**
+ Released: **May 26, 2020**
+ Platform: **4.18.2005.4**
+ Engine: **1.1.17100.2**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Improved logging for scan events
+* Improved user mode crash handling.
+* Added event tracing for Tamper protection
+* Fixed AMSI Sample submission
+* Fixed AMSI Cloud blocking
+* Fixed Security update install log
+
+### Known Issues
+No known issues
+
+
April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
- Security intelligence update version: **TBD**
+ Security intelligence update version: **1.315.12.0**
Released: **April 30, 2020**
Platform: **4.18.2004.6**
Engine: **1.1.17000.2**
@@ -93,14 +114,14 @@ No known issues
### What's new
-* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus)
+* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
* reduce Security intelligence timeout (5min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
### Known Issues
-[**Fixed**] Windows Defender Antivirus is skipping files when running a scan.
+[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
@@ -139,7 +160,7 @@ Support phase: **Technical upgrade Support (Only)**
* Fixed BSOD on WS2016 with Exchange
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
-* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
* Fix 4.18.1911.10 hang
### Known Issues
@@ -171,7 +192,7 @@ No known issues
-## Windows Defender Antivirus platform support
+## Microsoft Defender Antivirus platform support
As stated above, platform and engine updates are provided on a monthly cadence.
Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
@@ -186,7 +207,7 @@ Customers must stay current with the latest platform update to be fully supporte
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
### Platform version included with Windows 10 releases
-The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase |
|-|-|-|-|
@@ -205,8 +226,8 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof
Article | Description
---|---
-[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
-[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
-[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
-[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
+[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
+[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
+[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index 94b9e04752..81ba39a7cc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -31,13 +31,13 @@ There are two settings that are particularly useful for these devices:
- Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
-- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
+- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
-You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
+You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
@@ -55,7 +55,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
@@ -73,7 +73,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
## Prevent Security intelligence updates when running on battery power
-You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
+You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
### Use Group Policy to prevent security intelligence updates on battery power
@@ -83,7 +83,7 @@ You can configure Windows Defender Antivirus to only download protection updates
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
@@ -91,5 +91,5 @@ You can configure Windows Defender Antivirus to only download protection updates
## Related articles
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
new file mode 100644
index 0000000000..2cb802f3b8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -0,0 +1,98 @@
+---
+title: Microsoft Defender Antivirus compatibility with other security products
+description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
+keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Microsoft Defender Antivirus compatibility
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
+- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+
+## Antivirus and Microsoft Defender ATP
+
+The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
+
+
+| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state |
+|------|------|-------|-------|
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
+| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
+
+(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
+
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: ForceDefenderPassiveMode
+- Value: 1
+
+See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
+>
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+
+## Functionality and features available in each state
+
+The following table summarizes the functionality and features that are available in each state:
+
+|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
+|--|--|--|--|--|--|
+|Active mode
|Yes |No |Yes |Yes |Yes |
+|Passive mode |No |No |Yes |No |Yes |
+|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes |
+|Automatic disabled mode |No |Yes |No |No |No |
+
+- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+
+## Keep the following points in mind
+
+If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
+
+> [!WARNING]
+> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
+- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
new file mode 100644
index 0000000000..f0ebabb8e5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -0,0 +1,59 @@
+---
+title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
+keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.date: 02/25/2020
+ms.reviewer:
+manager: dansimp
+ms.custom: nextgen
+---
+
+# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+
+**Applies to:**
+
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Microsoft Defender Antivirus: Your next-generation protection
+
+Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
+
+- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
+- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date.
+
+## Try a demo!
+
+Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
+- Cloud-delivered protection
+- Block at first sight (BAFS) protection
+- Potentially unwanted applications (PUA) protection
+
+## Minimum system requirements
+
+Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
+
+- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
+- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
+
+## Configure next-generation protection services
+
+For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md).
+
+> [!Note]
+> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md).
+
+## Related articles
+
+- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
+
+- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
similarity index 62%
rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 6ff0b08f83..4cf3a8a1e7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Antivirus on Windows Server 2016 and 2019
+title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
@@ -16,28 +16,28 @@ ms.reviewer:
manager: dansimp
---
-# Windows Defender Antivirus on Windows Server 2016 and 2019
+# Microsoft Defender Antivirus on Windows Server 2016 and 2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
+Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
-While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
+While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
-- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product.
+- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
## The process at a glance
-The process of setting up and running Windows Defender Antivirus on a server platform includes several steps:
+The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
-2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019)
+2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
-2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running)
+2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
@@ -45,11 +45,11 @@ The process of setting up and running Windows Defender Antivirus on a server pla
5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
-6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus)
+6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
## Enable the user interface on Windows Server 2016 or 2019
-By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
### Turn on the GUI using the Add Roles and Features Wizard
@@ -73,30 +73,30 @@ The following PowerShell cmdlet will enable the interface:
Install-WindowsFeature -Name Windows-Defender-GUI
```
-## Install Windows Defender Antivirus on Windows Server 2016 or 2019
+## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019
-You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus.
+You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
### Use the Add Roles and Features Wizard
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
-2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option.
+2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option.
### Use PowerShell
-To use PowerShell to install Windows Defender Antivirus, run the following cmdlet:
+To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:
```PowerShell
Install-WindowsFeature -Name Windows-Defender
```
-Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-microsoft-defender-antivirus.md).
-## Verify Windows Defender Antivirus is running
+## Verify Microsoft Defender Antivirus is running
-To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet:
+To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet:
```PowerShell
Get-Service -Name windefend
@@ -108,17 +108,17 @@ To verify that firewall protection is turned on, run the following PowerShell cm
Get-Service -Name mpssvc
```
-As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt:
+As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
```DOS
sc query Windefend
```
-The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`.
+The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`.
## Update antimalware Security intelligence
-In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
+In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
@@ -135,11 +135,11 @@ To ensure that protection from malware is maintained, we recommend that you enab
- Windows Update service
-The following table lists the services for Windows Defender Antivirus and the dependent services.
+The following table lists the services for Microsoft Defender Antivirus and the dependent services.
|Service Name|File Location|Description|
|--------|---------|--------|
-|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.|
|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
@@ -161,28 +161,28 @@ To enable automatic sample submission, start a Windows PowerShell console as an
|Setting |Description |
|---------|---------|
-|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
-|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
-|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. |
-|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. |
+|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
+|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019.
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
-See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
+See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
-## Need to uninstall Windows Defender Antivirus?
+## Need to uninstall Microsoft Defender Antivirus?
-If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources:
+If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources:
- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
-- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
+- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
-If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections.
+If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections.
-### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard
+### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
@@ -192,7 +192,7 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the
Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
-### Uninstall Windows Defender Antivirus using PowerShell
+### Uninstall Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
@@ -205,7 +205,7 @@ Uninstall-WindowsFeature -Name Windows-Defender
### Turn off the GUI using PowerShell
-To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet:
+To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender-GUI
@@ -214,8 +214,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
new file mode 100644
index 0000000000..636b470f3c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -0,0 +1,141 @@
+---
+title: Microsoft Defender Offline in Windows 10
+description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Run and review the results of a Microsoft Defender Offline scan
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
+
+In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## prerequisites and requirements
+
+Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+
+## Microsoft Defender Offline updates
+
+Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
+
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+
+
+The user will also be notified within the Windows Defender client:
+
+
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
+
+Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+
+
+## Configure notifications
+
+
+Microsoft Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications.
+
+For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic.
+
+## Run a scan
+
+> [!IMPORTANT]
+> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+You can run a Microsoft Defender Offline scan with the following:
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- The Windows Security app
+
+
+
+### Use PowerShell cmdlets to run an offline scan
+
+Use the following cmdlets:
+
+```PowerShell
+Start-MpWDOScan
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to run an offline scan
+
+Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
+
+The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```WMI
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+
+
+### Use the Windows Defender Security app to run an offline scan
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
+
+
+3. Select **Microsoft Defender Offline scan** and click **Scan now**.
+
+
+ > [!NOTE]
+ > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
+
+
+## Review scan results
+
+Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
+
+
+## Related articles
+
+- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
similarity index 87%
rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 77eca7df65..36f41c59d3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Antivirus in the Windows Security app
+title: Microsoft Defender Antivirus in the Windows Security app
description: With Windows Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
@@ -16,7 +16,7 @@ ms.reviewer:
manager: dansimp
---
-# Windows Defender Antivirus in the Windows Security app
+# Microsoft Defender Antivirus in the Windows Security app
**Applies to:**
@@ -52,22 +52,22 @@ The following diagrams compare the location of settings and functions between th
-
+
Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description
---|---|---|---
1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence)
2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
-4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
+4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan
5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
## Common tasks
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app.
> [!NOTE]
-> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
@@ -96,7 +96,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Check for updates** to download new protection updates (if there are any).
-### Ensure Windows Defender Antivirus is enabled in the Windows Security app
+### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi
>[!NOTE]
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+ >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
-### Add exclusions for Windows Defender Antivirus in the Windows Security app
+### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -130,14 +130,14 @@ The following table summarizes exclusion types and what happens:
|Exclusion type |Defined by |What happens |
|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. |
+|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. |
+|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
+|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
+|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus)
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
+- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
@@ -167,6 +167,6 @@ To learn more, see:
## Related articles
-- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 77a5c15cf1..58f370b7dd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
-description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more."
+title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
+description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -19,22 +19,22 @@ ms.reviewer:
manager: dansimp
---
-# Better together: Windows Defender Antivirus and Office 365
+# Better together: Microsoft Defender Antivirus and Office 365
**Applies to:**
-- Windows Defender Antivirus
+- Microsoft Defender Antivirus
- Office 365
You might already know that:
-- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
-**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two:
+**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two:
1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
@@ -44,11 +44,11 @@ Read the following sections to learn more.
## Ransomware protection and recovery
-When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
+When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.)
-2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md b/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md
new file mode 100644
index 0000000000..6e1deba9b5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md
@@ -0,0 +1,68 @@
+
+# [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
+## [Windows Defender AV in the Microsoft Defender Security Center app](microsoft-defender-security-center-antivirus.md)
+
+## [Windows Defender AV on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)
+
+## [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
+### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-microsoft-defender-antivirus.md)
+
+
+## [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
+
+
+## [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+### [Deploy and enable Microsoft Defender Antivirus](deploy-microsoft-defender-antivirus.md)
+#### [Deployment guide for VDI environments](deployment-vdi-microsoft-defender-antivirus.md)
+### [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)
+#### [Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
+### [Manage updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+#### [Manage protection and Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md)
+#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+#### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+
+
+## [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+#### [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
+#### [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-microsoft-defender-antivirus.md)
+#### [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+
+
+## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-microsoft-defender-antivirus.md)
+#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
+### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+### [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+### [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+### [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
+### [Review scan results](review-scan-results-microsoft-defender-antivirus.md)
+### [Run and review the results of a Windows Defender Offline scan](microsoft-defender-offline.md)
+
+
+## [Review event logs and error codes to troubleshoot issues](troubleshoot-microsoft-defender-antivirus.md)
+
+
+
+## [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-microsoft-defender-antivirus.md)
+### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-microsoft-defender-antivirus.md)
+### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-microsoft-defender-antivirus.md)
+### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-microsoft-defender-antivirus.md)
+### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-microsoft-defender-antivirus.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
similarity index 87%
rename from windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 52966241d0..971482d70d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -25,9 +25,9 @@ ms.custom: nextgen
## Overview
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
-With tamper protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@@ -37,11 +37,10 @@ With tamper protection, malicious apps are prevented from taking actions like th
### How it works
- Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
-- and so on.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
@@ -60,7 +59,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
## Turn tamper protection on (or off) for an individual machine
> [!NOTE]
-> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
>
> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
>
@@ -80,22 +79,22 @@ Here's what you see in the Windows Security app:
## Turn tamper protection on (or off) for your organization using Intune
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
> [!NOTE]
-> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
+> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
-You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
+ - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
3. Select **Device configuration** > **Profiles**.
@@ -113,9 +112,9 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
5. Assign the profile to one or more groups.
-Here's what you see in the Windows Security app:
+ Here's what you see in the Windows Security app:
-
+ 
### Are you using Windows OS 1709, 1803, or 1809?
@@ -131,17 +130,17 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
## View information about tampering attempts
-Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
+Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
@@ -165,7 +164,7 @@ No
No. Third-party antivirus offerings will continue to register with the Windows Security application.
-### What happens if Windows Defender Antivirus is not active on a device?
+### What happens if Microsoft Defender Antivirus is not active on a device?
Tamper protection will not have any impact on such devices.
@@ -175,18 +174,18 @@ If you are a home user, see [Turn tamper protection on (or off) for an individua
If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
-### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
+### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
-Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on.
+Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
>[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.
-> Sample Windows Defender Antivirus settings:
-> Turn off Windows Defender Antivirus
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
+> Sample Microsoft Defender Antivirus settings:
+> Turn off Microsoft Defender Antivirus
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
Value DisableAntiSpyware = 0
>Turn off real-time protection
-Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\
+Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\
Value DisableRealtimeMonitoring = 0
### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
@@ -216,7 +215,7 @@ In this case, tamper protection status changes, and this feature is no longer ap
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
-Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
In addition, your security operations team can use hunting queries, such as the following:
@@ -234,4 +233,4 @@ No.
[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
-[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
similarity index 67%
rename from windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 8f6ebb3c64..4b5dfb5cc2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Hide the Windows Defender Antivirus interface
+title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
@@ -17,17 +17,17 @@ ms.reviewer:
manager: dansimp
---
-# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface
+# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
+You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
-## Hide the Windows Defender Antivirus interface
+## Hide the Microsoft Defender Antivirus interface
-In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
+In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
With the setting set to **Enabled**:
@@ -38,7 +38,7 @@ With the setting set to **Disabled** or not configured:
>[!NOTE]
->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
@@ -52,11 +52,11 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
## Prevent users from pausing a scan
@@ -70,14 +70,14 @@ You can prevent users from pausing scans, which can be helpful to ensure schedul
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
## Related articles
-- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
similarity index 64%
rename from windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index caea14600c..af0ed9fd05 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Monitor and report on Windows Defender Antivirus protection
+title: Monitor and report on Microsoft Defender Antivirus protection
description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
@@ -17,28 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Report on Windows Defender Antivirus
+# Report on Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
-Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
+Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
-For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2).
## Related articles
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 625c85ac9a..5a30c57794 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -35,9 +35,9 @@ If Microsoft Defender Antivirus is configured to detect and remediate threats on
## Related articles
-- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-- [Review scan results](review-scan-results-windows-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+- [Review scan results](review-scan-results-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index d0f31c4c8d..258b495b60 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Review Windows Defender Antivirus scan results
+# Review Microsoft Defender Antivirus scan results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
+After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
## Use Microsoft Intune to review scan results
@@ -56,7 +56,7 @@ Get-MpThreat
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use Windows Management Instruction (WMI) to review scan results
@@ -65,5 +65,5 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**]
## Related articles
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
similarity index 67%
rename from windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index f36197fe0f..0d9933fc95 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -17,7 +17,7 @@ ms.reviewer:
manager: dansimp
---
-# Configure and run on-demand Windows Defender Antivirus scans
+# Configure and run on-demand Microsoft Defender Antivirus scans
**Applies to:**
@@ -30,7 +30,7 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
@@ -50,7 +50,7 @@ Use the following `-scan` parameter:
```DOS
mpcmdrun.exe -scan -scantype 1
```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
## Use Microsoft Intune to run a scan
@@ -61,7 +61,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
## Use the Windows Security app to run a scan
-See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
## Use PowerShell cmdlets to run a scan
@@ -70,7 +70,7 @@ Use the following cmdlet:
```PowerShell
Start-MpScan
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Use Windows Management Instruction (WMI) to run a scan
@@ -82,6 +82,6 @@ See the following for more information and allowed parameters:
## Related articles
-- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index b2b391a114..6dd4dadced 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -17,19 +17,19 @@ ms.reviewer:
manager: dansimp
---
-# Configure scheduled quick or full Windows Defender Antivirus scans
+# Configure scheduled quick or full Microsoft Defender Antivirus scans
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
-> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
+> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
+In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
-You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
@@ -41,11 +41,11 @@ To configure the Group Policy settings described in this topic:
4. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
## Quick scan versus full scan and custom scan
@@ -53,11 +53,11 @@ When you set up scheduled scans, you can set up whether the scan should be a ful
Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md).
A custom scan allows you to specify the files and folders to scan, such as a USB drive.
@@ -69,7 +69,7 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
>[!NOTE]
->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
+>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
**Use Group Policy to schedule scans:**
@@ -78,7 +78,7 @@ Location | Setting | Description | Default setting (if not configured)
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
@@ -92,7 +92,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule scans:**
@@ -127,7 +127,7 @@ Use the following cmdlets:
Set-MpPreference -ScanOnlyIfIdleEnabled
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI):**
@@ -163,7 +163,7 @@ Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI):**
@@ -200,7 +200,7 @@ Use the following cmdlets:
Set-MpPreference -ScanScheduleQuickTime
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule daily scans:**
@@ -217,7 +217,7 @@ See the following for more information and allowed parameters:
## Enable scans after protection updates
-You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
**Use Group Policy to schedule scans after protection updates**
@@ -232,9 +232,9 @@ Signature updates | Turn on scan after Security intelligence update | A scan wil
## Related topics
-- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index d04a0c0bd5..c6a20d3a13 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Specify cloud-delivered protection level in Windows Defender Antivirus
-description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus.
-keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+title: Specify cloud-delivered protection level in Microsoft Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -23,24 +23,24 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
+You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
>[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
## Use Intune to specify the level of cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
+4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
5. On the **File Blocking Level** switch, select one of the following:
1. **High**: Applies a strong level of detection.
2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance).
3. **Zero tolerance**: Blocks all unknown executables.
-8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
@@ -59,10 +59,10 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
4. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
@@ -75,8 +75,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
## Related articles
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index 8b02e56f61..68ce4eebbd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Windows Defender AV event IDs and error codes
-description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
+description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,19 +17,19 @@ ms.reviewer:
manager: dansimp
---
-# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus
+# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
+If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:
-- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
-- [Windows Defender Antivirus client error codes](#error-codes)
-- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
+- [Microsoft Defender Antivirus client error codes](#error-codes)
+- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
> [!TIP]
> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
@@ -39,18 +39,18 @@ The tables list:
> - Potentially unwanted application blocking
-## Windows Defender Antivirus event IDs
+## Microsoft Defender Antivirus event IDs
-Windows Defender Antivirus records event IDs in the Windows event log.
+Microsoft Defender Antivirus records event IDs in the Windows event log.
-You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
-The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
+The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-## To view a Windows Defender Antivirus event
+## To view a Microsoft Defender Antivirus event
1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
@@ -324,7 +324,7 @@ Description of the error.
User action:
-The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Windows Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
To troubleshoot this event:
- Run the scan again.
@@ -432,7 +432,7 @@ Message:
Description:
|
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
+Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -484,7 +484,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
+Microsoft Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -543,7 +543,7 @@ Message:
Description:
|
-Windows Defender Antivirus has restored an item from quarantine. For more information, see the following:
+Microsoft Defender Antivirus has restored an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -587,7 +587,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
+Microsoft Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -634,7 +634,7 @@ Message:
Description:
|
-Windows Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
+Microsoft Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -677,7 +677,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to delete an item from quarantine.
+Microsoft Defender Antivirus has encountered an error trying to delete an item from quarantine.
For more information, see the following:
- Name: <Threat name>
@@ -725,7 +725,7 @@ Message:
Description:
|
-Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
+Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
@@ -756,7 +756,7 @@ The antimalware platform could not delete history of malware and other potential
Description:
|
-Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
+Microsoft Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
@@ -791,7 +791,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
+Microsoft Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -868,7 +868,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -921,7 +921,7 @@ UAC
User action:
|
-No action is required. Windows Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender Antivirus interface, click Clean Computer.
+No action is required. Microsoft Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Microsoft Defender Antivirus interface, click Clean Computer.
|
@@ -949,7 +949,7 @@ Message:
Description:
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
+Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1010,7 +1010,7 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
NOTE:
-Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
+Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
@@ -1049,7 +1049,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se
User action:
|
-No action is necessary. Windows Defender Antivirus removed or quarantined a threat.
+No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
|
@@ -1076,7 +1076,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
+Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1144,7 +1144,7 @@ Description of the error.
User action:
|
-No action is necessary. Windows Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
+No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
|
@@ -1171,7 +1171,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
+Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1239,7 +1239,7 @@ Description of the error.
User action:
|
-The Windows Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
+The Microsoft Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
| Action |
@@ -1302,7 +1302,7 @@ Symbolic name:
Message:
-Windows Defender Antivirus has deduced the hashes for a threat resource.
+Microsoft Defender Antivirus has deduced the hashes for a threat resource.
|
@@ -1310,7 +1310,7 @@ Message:
Description:
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
- Current Platform Version: <Current platform version>
- Threat Resource Path: <Path>
@@ -1349,7 +1349,7 @@ Message:
Description:
|
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
- Platform Version: <Current platform version>
- Signature Version: <Definition version>
@@ -1362,7 +1362,7 @@ Windows Defender Antivirus client is up and running in a healthy state.
User action:
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
|
@@ -1467,7 +1467,7 @@ Antivirus signature version has been updated.
User action:
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
|
@@ -1494,7 +1494,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered an error trying to update signatures.
+Microsoft Defender Antivirus has encountered an error trying to update signatures.
- New security intelligence version: <New version number>
- Previous security intelligence version: <Previous version>
@@ -1541,7 +1541,7 @@ User action:
This error occurs when there is a problem updating definitions.
To troubleshoot this event:
-- Update definitions and force a rescan directly on the endpoint.
+- Update definitions and force a rescan directly on the endpoint.
- Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.
- Contact Microsoft Technical Support.
@@ -1572,7 +1572,7 @@ Message:
Description:
|
-Windows Defender Antivirus engine version has been updated.
+Microsoft Defender Antivirus engine version has been updated.
- Current Engine Version: <Current engine version>
- Previous Engine Version: <Previous engine version>
@@ -1586,7 +1586,7 @@ Windows Defender Antivirus engine version has been updated.
User action:
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
|
@@ -1613,7 +1613,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered an error trying to update the engine.
+Microsoft Defender Antivirus has encountered an error trying to update the engine.
- New Engine Version:
- Previous Engine Version: <Previous engine version>
@@ -1631,10 +1631,10 @@ Description of the error.
User action:
|
-The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
To troubleshoot this event:
-- Update definitions and force a rescan directly on the endpoint.
+- Update definitions and force a rescan directly on the endpoint.
- Contact Microsoft Technical Support.
@@ -1663,7 +1663,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
- Signatures Attempted:
- Error Code: <Error code>
@@ -1680,7 +1680,7 @@ Description of the error.
User action:
|
-The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions.
+The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.
To troubleshoot this event:
- Restart the computer and try again.
@@ -1715,7 +1715,7 @@ Message:
Description:
|
-Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
+Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
- Current Platform Version: <Current platform version>
@@ -1746,7 +1746,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to update the platform.
+Microsoft Defender Antivirus has encountered an error trying to update the platform.
- Current Platform Version: <Current platform version>
- Error Code: <Error code>
@@ -1779,7 +1779,7 @@ Message:
Description:
|
-Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available.
+Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
- Current Platform Version: <Current platform version>
@@ -1810,7 +1810,7 @@ Message:
Description:
|
-Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -1868,7 +1868,7 @@ Message:
Description:
|
-Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
+Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -1907,7 +1907,7 @@ Windows Defender Antivirus used Dynamic Signature Service to discard obso
User action:
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
|
@@ -1935,7 +1935,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
+Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -2005,7 +2005,7 @@ Message:
Description:
|
-Windows Defender Antivirus discarded all Dynamic Signature Service signatures.
+Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.
- Current Signature Version: <Current signature version>
@@ -2036,7 +2036,7 @@ Message:
Description:
|
-Windows Defender Antivirus downloaded a clean file.
+Microsoft Defender Antivirus downloaded a clean file.
- Filename: <File name>
Name of the file.
@@ -2069,7 +2069,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to download a clean file.
+Microsoft Defender Antivirus has encountered an error trying to download a clean file.
- Filename: <File name>
Name of the file.
@@ -2088,7 +2088,7 @@ User action:
|
Check your Internet connectivity settings.
-The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
+The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
|
@@ -2114,7 +2114,7 @@ Message:
Description:
|
-Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
+Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
|
@@ -2141,7 +2141,7 @@ Message:
Description:
-Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus.
+Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
@@ -2175,7 +2175,7 @@ Message:
Description:
|
-The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
+The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
|
@@ -2203,7 +2203,7 @@ Message:
Description:
|
-The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
+The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
|
@@ -2231,7 +2231,7 @@ Message:
Description:
|
-The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
+The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
|
@@ -2258,7 +2258,7 @@ Message:
Description:
-Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
+Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
- Feature: <Feature>, for example:
@@ -2272,7 +2272,7 @@ Windows Defender Antivirus Real-Time Protection feature has encountered an error
Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-- Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
+- Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.
|
@@ -2282,7 +2282,7 @@ User action:
You should restart the system then run a full scan because it's possible the system was not protected for some time.
-The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start.
+The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start.
If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
|
@@ -2310,7 +2310,7 @@ Message:
Description:
-Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
- Feature: <Feature>, for example:
@@ -2320,7 +2320,7 @@ Windows Defender Antivirus Real-time Protection has restarted a feature. It is r
- Network Inspection System
-- Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
+- Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.
|
@@ -2357,7 +2357,7 @@ Message:
Description:
-Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
+Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
|
@@ -2384,7 +2384,7 @@ Message:
Description:
|
-Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
+Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
|
@@ -2412,7 +2412,7 @@ Message:
Description:
-Windows Defender Antivirus real-time protection feature configuration has changed.
+Microsoft Defender Antivirus real-time protection feature configuration has changed.
- Feature: <Feature>, for example:
@@ -2450,7 +2450,7 @@ Message:
Description:
|
-Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
+Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
- Old value: <Old value number>
Old antivirus configuration value.
@@ -2482,7 +2482,7 @@ Message:
Description:
|
-Windows Defender Antivirus engine has been terminated due to an unexpected error.
+Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
- Failure Type: <Failure type>, for example:
Crash
@@ -2513,7 +2513,7 @@ To troubleshoot this event:
User action:
|
-The Windows Defender Antivirus client engine stopped due to an unexpected error.
+The Microsoft Defender Antivirus client engine stopped due to an unexpected error.
To troubleshoot this event:
- Run the scan again.
@@ -2548,7 +2548,7 @@ Message:
Description:
|
-Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
+Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
|
@@ -2575,7 +2575,7 @@ Message:
Description:
|
-Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
+Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
|
@@ -2601,7 +2601,7 @@ Message:
Description:
|
-Windows Defender Antivirus scanning for viruses has been enabled.
+Microsoft Defender Antivirus scanning for viruses has been enabled.
|
@@ -2629,7 +2629,7 @@ Message:
Description:
|
-Windows Defender Antivirus scanning for viruses is disabled.
+Microsoft Defender Antivirus scanning for viruses is disabled.
|
@@ -2657,10 +2657,10 @@ Message:
Description:
-Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
-- Expiration Reason: The reason Windows Defender Antivirus will expire.
-- Expiration Date: The date Windows Defender Antivirus will expire.
+- Expiration Reason: The reason Microsoft Defender Antivirus will expire.
+- Expiration Date: The date Microsoft Defender Antivirus will expire.
|
@@ -2689,7 +2689,7 @@ Message:
Description:
-Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
- Expiration Reason:
- Expiration Date:
@@ -2703,14 +2703,14 @@ Description of the error.
|
-## Windows Defender Antivirus client error codes
-If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Windows Defender Antivirus client errors.
+## Microsoft Defender Antivirus client error codes
+If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+This section provides the following information about Microsoft Defender Antivirus client errors.
- The error code
- The possible reason for the error
- Advice on what to do now
-Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
+Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes.
@@ -2753,7 +2753,7 @@ This error indicates that there might be a problem with your security product.
| Resolution |
- Update the definitions. Either:
-- Click the Update definitions button on the Update tab in Windows Defender Antivirus.
 Or,
+ - Click the Update definitions button on the Update tab in Microsoft Defender Antivirus. Or,
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@@ -2785,7 +2785,7 @@ data that does not allow the engine to function properly.
| | Possible reason |
-This error indicates that Windows Defender Antivirus failed to quarantine a threat.
+This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
|
@@ -2852,7 +2852,7 @@ Follow the manual remediation steps outlined in the offline Windows Defender Antivirus article.
+Run offline Microsoft Defender Antivirus. You can read about how to do this in the offline Microsoft Defender Antivirus article.
@@ -2901,16 +2901,16 @@ Run offline Windows Defender Antivirus. You can read about how to do this in the
ERROR_MP_PLATFORM_OUTDATED
| | Possible reason |
-This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
+This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
| | Resolution |
-You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
|
+You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
-The following error codes are used during internal testing of Windows Defender Antivirus.
+The following error codes are used during internal testing of Microsoft Defender Antivirus.
-If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
+If you see these errors, you can try to [update definitions](manage-updates-baselines-microsoft-defender-antivirus.md) and force a rescan directly on the endpoint.
@@ -3240,5 +3240,5 @@ This is an internal error. It might have triggered when a scan fails to complete
## Related topics
-- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
similarity index 52%
rename from windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 2efa65178d..8abffb90b1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -16,25 +16,25 @@ ms.reviewer:
manager: dansimp
---
-# Troubleshoot Windows Defender Antivirus reporting in Update Compliance
+# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!IMPORTANT]
-> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
-You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
-When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
+When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
- You do not see any devices at all
- The reports and information you do see is outdated (older than a few days)
-For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to Update Compliance, see [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md).
+For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md).
There are three steps to troubleshooting these problems:
@@ -48,28 +48,23 @@ There are three steps to troubleshooting these problems:
## Confirm prerequisites
-In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus:
+In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus:
>[!div class="checklist"]
->- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
-> - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md).
-> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
+>- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
+> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).
+> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
-“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
-> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
-
-
-
-
-
+> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
similarity index 53%
rename from windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 84d8ca6968..266e82be31 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Configure Windows Defender Antivirus with Group Policy
-description: Configure Windows Defender Antivirus settings with Group Policy
+title: Configure Microsoft Defender Antivirus with Group Policy
+description: Configure Microsoft Defender Antivirus settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,15 +17,15 @@ ms.reviewer:
manager: dansimp
---
-# Use Group Policy settings to configure and manage Windows Defender Antivirus
+# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
+You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
-In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:
+In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@@ -33,7 +33,7 @@ In general, you can use the following procedure to configure or change Windows D
3. Click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Windows Defender Antivirus**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
@@ -43,41 +43,41 @@ The following table in this topic lists the Group Policy settings available in W
Location | Setting | Article
---|---|---
-Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
-MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
-MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+Exclusions | Extension Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+Exclusions | Path Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+Exclusions | Process Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
Network inspection system | Specify additional definition sets for network traffic inspection | Not used
Network inspection system | Turn on definition retirement | Not used
Network inspection system | Turn on protocol recognition | Not used
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Reporting | Configure Watson events | Not used
Reporting | Configure Windows software trace preprocessor components | Not used
Reporting | Configure WPP tracing level | Not used
@@ -85,66 +85,66 @@ Reporting | Configure time out for detections in critically failed state | Not u
Reporting | Configure time out for detections in non-critical failed state | Not used
Reporting | Configure time out for detections in recently remediated state | Not used
Reporting | Configure time out for detections requiring additional action | Not used
-Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
+Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+Root | Turn off Microsoft Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
Root | Define addresses to bypass proxy server | Not used
Root | Define proxy autoconfig (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
-Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Create a system restore point | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on heuristics | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan network files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan packed executables | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan removable drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
-Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
-Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Root | Allow antimalware service to start up with normal priority | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+Scan | Create a system restore point | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Scan | Turn on removal of items from scan history folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Scan | Turn on heuristics | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Scan | Turn on e-mail scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Turn on reparse point scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Run full scan on mapped network drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Scan network files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Scan packed executables | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Scan removable drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
+Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
## Related articles
-- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
similarity index 75%
rename from windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index df5a122dda..a6ba01f23b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender Antivirus with Configuration Manager and Intune
+title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
@@ -17,15 +17,15 @@ ms.reviewer:
manager: dansimp
---
-# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
+# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
+If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans.
-In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus.
+In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus.
See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
@@ -34,5 +34,5 @@ For Microsoft Intune, consult the [Microsoft Intune library](https://docs.micros
## Related articles
-- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
similarity index 81%
rename from windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 76de6faff6..fcfc8ca38c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Use PowerShell cmdlets to configure and run Windows Defender AV
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Windows Defender Antivirus.
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,7 +17,7 @@ ms.reviewer:
manager: dansimp
---
-# Use PowerShell cmdlets to configure and manage Windows Defender Antivirus
+# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
**Applies to:**
@@ -30,15 +30,15 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Windows Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
-You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md).
PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`.
-## Use Windows Defender Antivirus PowerShell cmdlets
+## Use Microsoft Defender Antivirus PowerShell cmdlets
1. In the Windows search bar, type **powershell**.
2. Select **Windows PowerShell** from the results to open the interface.
@@ -57,5 +57,5 @@ Omit the `-online` parameter to get locally cached help.
## Related topics
-- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
similarity index 66%
rename from windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
rename to windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index bac24170b6..73d1b7d19f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender Antivirus with WMI
+title: Configure Microsoft Defender Antivirus with WMI
description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.reviewer:
manager: dansimp
---
-# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender Antivirus
+# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
**Applies to:**
@@ -27,15 +27,15 @@ Windows Management Instrumentation (WMI) is a scripting interface that allows yo
Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/library/aa394582(v=vs.85).aspx).
-Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+Microsoft Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md).
-The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts.
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Microsoft Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
-You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md).
## Related topics
-- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..6e52508bcb
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -0,0 +1,86 @@
+---
+title: Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
+description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
+keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.reviewer: shwjha
+manager: dansimp
+ms.custom: nextgen
+---
+
+# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
+
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+
+
+To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
+
+>[!NOTE]
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Microsoft Defender Antivirus in action:
+
+
+
+To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video:
+
+
+
+Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
+
+- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/)
+- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)
+- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/)
+- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/)
+- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/)
+
+## Get cloud-delivered protection
+
+Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
+
+>[!TIP]
+>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+
+The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
+
+|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period |
+|---------|---------|---------|---------|
+|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No |
+|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
+|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
+|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
+|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
+|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
+
+You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
+
+
+## Tasks
+
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+
+- [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+
+- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+
+- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..a1ed7741c5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -0,0 +1,58 @@
+---
+title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection"
+description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
+keywords: windows defender, antivirus, third party av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.topic: article
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer:
+manager: dansimp
+---
+
+# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+
+Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP).
+
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
+
+## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP
+
+| |Advantage |Why it matters |
+|--|--|--|
+|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
+|2|Threat analytics and your configuration score |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
+|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
+|10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
+|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
+
+
+## Learn more
+
+[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+
+[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
new file mode 100644
index 0000000000..35f40da2a5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
@@ -0,0 +1,7 @@
+# [Microsoft Defender Application Guard](md-app-guard-overview.md)
+
+## [System requirements](reqs-md-app-guard.md)
+## [Install WDAG](install-md-app-guard.md)
+## [Configure WDAG policies](configure-md-app-guard.md)
+## [Test scenarios](test-scenarios-md-app-guard.md)
+## [FAQ](faq-md-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
new file mode 100644
index 0000000000..121ed70fbe
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -0,0 +1,66 @@
+---
+title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.date: 10/17/2017
+ms.reviewer:
+manager: dansimp
+ms.custom: asr
+---
+
+# Configure Microsoft Defender Application Guard policy settings
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+
+Application Guard uses both network isolation and application-specific settings.
+
+## Network isolation settings
+
+These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+
+>[!NOTE]
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
+
+
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+
+## Network isolation settings wildcards
+
+|Value|Number of dots to the left|Meaning|
+|-----|--------------------------|-------|
+|`contoso.com`|0|Trust only the literal value of `contoso.com`.|
+|`www.contoso.com`|0|Trust only the literal value of `www.contoso.com`.|
+|`.contoso.com`|1|Trust any domain that ends with the text `contoso.com`. Matching sites include `spearphishingcontoso.com`, `contoso.com`, and `www.contoso.com`.|
+|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.|
+
+## Application-specific settings
+These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
+
+|Name|Supported versions|Description|Options|
+|-----------|------------------|-----------|-------|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
-Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system.
**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
+|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.
**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.|
+
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
similarity index 66%
rename from windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
rename to windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 1e8839b354..c1bc58c4b7 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -1,6 +1,6 @@
---
-title: FAQ - Windows Defender Application Guard (Windows 10)
-description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
+title: FAQ - Microsoft Defender Application Guard (Windows 10)
+description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -8,17 +8,17 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 12/04/2019
+ms.date: 06/02/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
---
-# Frequently asked questions - Windows Defender Application Guard
+# Frequently asked questions - Microsoft Defender Application Guard
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
@@ -49,13 +49,13 @@ To help keep the Application Guard Edge session secure and isolated from the hos
Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
-### How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
+### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
-Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
### Which Input Method Editors (IME) in 19H1 are not supported?
-The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Windows Defender Application Guard.
+The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
- Vietnam Telex keyboard
- Vietnam number key-based keyboard
- Hindi phonetic keyboard
@@ -83,12 +83,28 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
-### Why does my encryption driver break Windows Defender Application Guard?
+### Why does my encryption driver break Microsoft Defender Application Guard?
+
+
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+
+### Why do the Network Isolation policies in Group Policy and CSP look different?
+
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP.
+
+Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
+Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
+For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+
+Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+
+### Why did Application Guard stop working after I turned off hyperthreading?
+
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png
new file mode 100644
index 0000000000..fe4236c8cf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
rename to windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
rename to windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index e5630f24a3..8aba080ae4 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,6 +1,6 @@
---
title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
-description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
+description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,19 +14,19 @@ manager: dansimp
ms.custom: asr
---
-# Prepare to install Windows Defender Application Guard
+# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Review system requirements
-See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard.
+See [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
>[!NOTE]
->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
+>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
-## Prepare for Windows Defender Application Guard
-Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
+## Prepare for Microsoft Defender Application Guard
+Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
### Standalone mode
@@ -34,7 +34,7 @@ Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Pro edition, version 1803
-Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
+Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
## Enterprise-managed mode
@@ -54,9 +54,9 @@ Application Guard functionality is turned off by default. However, you can quick
1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
- 
+ 
-2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
+2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**.
Application Guard and its underlying dependencies are all installed.
@@ -83,7 +83,7 @@ Application Guard functionality is turned off by default. However, you can quick
### To install by using Intune
> [!IMPORTANT]
-> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
+> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
@@ -119,5 +119,5 @@ Application Guard functionality is turned off by default. However, you can quick
1. Click **Save**.
-After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
+After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
similarity index 63%
rename from windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
rename to windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 390bee5992..9a278e3b9b 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Application Guard (Windows 10)
-description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+title: Microsoft Defender Application Guard (Windows 10)
+description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,11 +14,11 @@ manager: dansimp
ms.custom: asr
---
-# Windows Defender Application Guard overview
+# Microsoft Defender Application Guard overview
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
+Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@@ -44,8 +44,8 @@ Application Guard has been created to target several types of systems:
|Article |Description |
|------|------------|
-|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
-|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
-|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
-|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
-|[Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
\ No newline at end of file
+|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
+|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
+|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
+|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
+|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
rename to windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index ca449ea92c..5757f18c10 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,6 +1,6 @@
---
-title: System requirements for Windows Defender Application Guard (Windows 10)
-description: Learn about the system requirements for installing and running Windows Defender Application Guard.
+title: System requirements for Microsoft Defender Application Guard (Windows 10)
+description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,17 +14,17 @@ manager: dansimp
ms.custom: asr
---
-# System requirements for Windows Defender Application Guard
+# System requirements for Microsoft Defender Application Guard
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
>[!NOTE]
->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
+>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
-Your environment needs the following hardware to run Windows Defender Application Guard.
+Your environment needs the following hardware to run Microsoft Defender Application Guard.
|Hardware|Description|
|--------|-----------|
@@ -35,7 +35,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
## Software requirements
-Your environment needs the following software to run Windows Defender Application Guard.
+Your environment needs the following software to run Microsoft Defender Application Guard.
|Software|Description|
|--------|-----------|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
similarity index 85%
rename from windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
rename to windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index a5eebdf2a2..e2a6d3e0ec 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,6 +1,6 @@
---
-title: Testing scenarios with Windows Defender Application Guard (Windows 10)
-description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
+title: Testing scenarios with Microsoft Defender Application Guard (Windows 10)
+description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -29,7 +29,7 @@ You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
@@ -52,7 +52,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard).
2. Restart the device and then start Microsoft Edge.
@@ -72,7 +72,7 @@ Before you can use Application Guard in enterprise mode, you must install Window
-4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
+4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting.
5. Click **Enabled**, choose Option **1**, and click **OK**.
@@ -113,7 +113,7 @@ You have the option to change each of these settings to work with your enterpris
#### Copy and paste options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
@@ -139,7 +139,7 @@ You have the option to change each of these settings to work with your enterpris
#### Print options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
2. Click **Enabled** and click **OK**.
@@ -151,7 +151,7 @@ You have the option to change each of these settings to work with your enterpris
#### Data persistence options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
@@ -176,7 +176,7 @@ You have the option to change each of these settings to work with your enterpris
#### Download options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
@@ -184,13 +184,13 @@ You have the option to change each of these settings to work with your enterpris
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Download a file from Windows Defender Application Guard.
+4. Download a file from Microsoft Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
#### Hardware acceleration options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
@@ -206,7 +206,7 @@ You have the option to change each of these settings to work with your enterpris
#### File trust options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
2. Click **Enabled**, set **Options** to 2, and click **OK**.
@@ -220,7 +220,7 @@ You have the option to change each of these settings to work with your enterpris
#### Camera and microphone options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
@@ -234,7 +234,7 @@ You have the option to change each of these settings to work with your enterpris
#### Root certificate sharing options
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
+1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index c372c8f63a..1261d7fa01 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -59,7 +59,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
Blocking is only available if your organization fulfills these requirements:
-- Uses Windows Defender Antivirus as the active antimalware solution and,
+- Uses Microsoft Defender Antivirus as the active antimalware solution and,
- The cloud-based protection feature is enabled
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
index 8956d5c3a9..b5b530d85f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -25,7 +25,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
+The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 0a28ea14cd..977cd7c2dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -23,7 +23,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
+Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
@@ -54,4 +54,4 @@ Take advantage of the following functionality to write queries faster:
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 99bd62562e..8aa65eadc9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -46,7 +46,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
-| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index a039772386..7f13a487ad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -58,7 +58,7 @@ Informational (Grey) | Alerts that might not be considered harmful to the n
#### Understanding alert severity
-Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
+Microsoft Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
@@ -118,7 +118,7 @@ You can choose between showing alerts that are assigned to you or automation.
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
>[!NOTE]
->The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
+>The Microsoft Defender Antivirus filter will only appear if machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
### OS platform
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index c093fcacb7..1cd0814c99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -21,61 +21,61 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
+Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
-Microsoft Defender API has an official Flow Connector with a lot of capabilities:
+Microsoft Defender API has an official Flow Connector with many capabilities.
## Usage example
-The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
+The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
-- Login to [Microsoft Flow](https://flow.microsoft.com)
+1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
-- Go to: My flows > New > Automated
+2. Go to **My flows** > **New** > **Automated-from blank**.
-
+ 
-- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
+3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
-
+ 
-- Now you have a Flow that is triggered every time a new Alert occurs.
+Now you have a Flow that is triggered every time a new Alert occurs.
-All you need to do now, is to choose your next steps.
-Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
-The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
+All you need to do now is choose your next steps.
+For example, you can isolate the machine if the Severity of the Alert is High and send an email about it.
+The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
-### Get the Alert entity using the connector
+### Get the Alert entity using the connector
-- Choose Microsoft Defender ATP for new step.
+1. Choose **Microsoft Defender ATP** for the new step.
-- Choose Alerts - Get single alert API.
+2. Choose **Alerts - Get single alert API**.
-- Set the Alert Id from the last step as Input.
+3. Set the **Alert ID** from the last step as **Input**.
-
+ 
### Isolate the machine if the Alert's severity is High
-- Add **Condition** as a new step .
+1. Add **Condition** as a new step.
-- Check if Alert severity equals to **High**.
+2. Check if the Alert severity **is equal to** High.
-- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
+ If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
-
+ 
-Now you can add a new step for mailing about the Alert and the Isolation.
-There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
-Save your flow and that's all.
+3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
-- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
+4. Save your flow.
+
+You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 95aaddc7ab..2ec8ca9023 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -46,7 +46,7 @@ Field numbers match the numbers in the images below.
> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index 03366d39ad..ffa10fbfc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -83,7 +83,7 @@ From within Microsoft Defender ATP, you can update your defenses with custom ind
## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
-Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
+Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
## Do ASR rules cover all applications by default?
@@ -131,4 +131,4 @@ Enabling this rule will not provide additional protection if you have [LSA prote
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 0ca49f4b35..89b074632e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -251,7 +251,7 @@ This rule blocks the following file types from launching unless they meet preval
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
-> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -272,7 +272,7 @@ GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
> [!NOTE]
-> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
+> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
@@ -405,4 +405,4 @@ GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index 8441d9b8c8..a04fe5d589 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -35,7 +35,7 @@ The action center consists of two main tabs: **Pending actions** and **History**
- Remediation actions that were taken as a result of an automated investigation
- Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
- - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone)
+ - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone)
Use the **Customize columns** menu to select columns that you'd like to show or hide.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 9ab72ae669..3d719200bc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -34,7 +34,7 @@ Behavioral blocking and containment capabilities can help identify and stop thre
Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing.
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
@@ -54,7 +54,7 @@ The following image shows an example of an alert that was triggered by behaviora
- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
index 317b858f36..19fabebbdf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -34,7 +34,7 @@ Antivirus protection works best when paired with cloud protection.
## How client behavioral blocking works
-[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
+[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
@@ -77,7 +77,7 @@ If your organization is using Microsoft Defender ATP, client behavioral blocking
- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index ae36af69a0..50726aa946 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -28,7 +28,7 @@ You can configure attack surface reduction with a number of tools, including:
Article | Description
-|-
-[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
+[Enable hardware-based isolation for Microsoft Edge](../microsoft-defender-application-guard/install-md-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index dec845f1d0..34b72d6438 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -29,13 +29,15 @@ ms.topic: article
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
-You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see:
+- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements)
+- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements).
## Onboarding non-Windows machines
You'll need to take the following steps to onboard non-Windows machines:
1. Select your preferred method of onboarding:
- - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac).
+ - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac).
- For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index a91141c30b..f0c6bf839a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -33,12 +33,12 @@ Before you can deploy and track compliance to security baselines:
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
-The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
+The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
-Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
+Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
@@ -100,4 +100,4 @@ Machine configuration management monitors baseline compliance only of Windows 10
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
\ No newline at end of file
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 90ad7896eb..c910870e7e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -117,7 +117,7 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.dat
United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net```
```automatedirstrprdcus.blob.core.windows.net```
```automatedirstrprdeus.blob.core.windows.net```
> [!NOTE]
-> If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus
+> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index cc9b6af753..6893fc8c8d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -172,7 +172,7 @@ Support for Windows Server, provide deeper insight into activities happening on
```sc.exe query Windefend```
- If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+ If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
## Integration with Azure Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 9cb8182798..d33c9a2195 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -45,7 +45,7 @@ Controlled folder access is supported on Windows 10, version 1709 and later and
## Requirements
-Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
## Review controlled folder access events in the Microsoft Defender ATP Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index b2fc09e758..fcfeb45219 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -79,7 +79,7 @@ Your custom detection rule can automatically take actions on files or machines t
These actions are applied to machines in the `DeviceId` column of the query results:
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
-- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
+- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the machine
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
#### Actions on files
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 9540fd0ce6..a7c6223e18 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -48,7 +48,7 @@ An exclusion applies to all rules that allow exclusions. You can specify an indi
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
@@ -77,7 +77,7 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 3216d16b87..858060526b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -43,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
@@ -63,7 +63,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
@@ -117,7 +117,7 @@ An allowed application or service only has write access to a controlled folder a
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index eec05ff19b..2769a45bcd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP.
> [!NOTE]
-> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
+> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Microsoft Defender ATP collect?
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
index a8b1269d9c..5421596f11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Antivirus compatibility with Microsoft Defender ATP
+title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used.
keywords: windows defender compatibility, defender, windows defender atp
search.product: eADQiWindows 10XVcnh
@@ -18,7 +18,7 @@ ms.topic: conceptual
ms.date: 04/24/2018
---
-# Windows Defender Antivirus compatibility with Microsoft Defender ATP
+# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
**Applies to:**
@@ -30,17 +30,17 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
-The Microsoft Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
+The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.
>[!IMPORTANT]
->Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
+>Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
+You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
+If an onboarded machine is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
-Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
+Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
-The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
+The Microsoft Defender Antivirus interface will be disabled, and users on the machine will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
-For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 942f37ced7..af6a7cbb1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -61,9 +61,9 @@ The following image shows an instance of unwanted software that was detected and
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
-|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
+|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
+|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features.
@@ -73,11 +73,11 @@ The following image shows an instance of unwanted software that was detected and
### Will EDR in block mode have any impact on a user's antivirus protection?
-No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
+No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
-### Why do I need to keep Windows Defender Antivirus up to date?
+### Why do I need to keep Microsoft Defender Antivirus up to date?
-Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
+Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
### Why do we need cloud protection on?
@@ -87,5 +87,5 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio
[Behavioral blocking and containment](behavioral-blocking-containment.md)
-[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index e31b0b4fc7..2506f2934b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -12,14 +12,14 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
+ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@@ -27,22 +27,22 @@ manager: dansimp
Each ASR rule contains one of three settings:
-* Not configured: Disable the ASR rule
-* Block: Enable the ASR rule
-* Audit: Evaluate how the ASR rule would impact your organization if enabled
+- Not configured: Disable the ASR rule
+- Block: Enable the ASR rule
+- Audit: Evaluate how the ASR rule would impact your organization if enabled
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
> [!TIP]
> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
You can enable attack surface reduction rules by using any of these methods:
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [Microsoft Intune](#intune)
+- [Mobile Device Management (MDM)](#mdm)
+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
+You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
+
> [!IMPORTANT]
> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
@@ -57,7 +59,7 @@ You can exclude files and folders from being evaluated by most attack surface re
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
- *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+ `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
The values to enable, disable, or enable in audit mode are:
-* Disable = 0
-* Block (enable ASR rule) = 1
-* Audit = 2
+- Disable = 0
+- Block (enable ASR rule) = 1
+- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-Value: c:\path|e:\path|c:\Whitelisted.exe
+`Value: c:\path|e:\path|c:\Whitelisted.exe`
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
@@ -103,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
-1. Choose which rules will block or audit actions and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+
+2. Click **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+
+4. Choose which rules will block or audit actions and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
## Group Policy
@@ -118,17 +125,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
+4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
- * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+ Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- * Disable = 0
- * Block (enable ASR rule) = 1
- * Audit = 2
+ - Disable = 0
+ - Block (enable ASR rule) = 1
+ - Audit = 2
- 
+ 
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
@@ -169,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
> ```
- You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
> [!WARNING]
> `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
- > You can obtain a list of rules and their current state by using `Get-MpPreference`
+ > You can obtain a list of rules and their current state by using `Get-MpPreference`.
3. To exclude files and folders from ASR rules, use the following cmdlet:
@@ -186,9 +193,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> [!IMPORTANT]
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
-## Related topics
+## Related articles
+
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
-* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index f78270d508..dc345b0974 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -38,10 +38,10 @@ You can enable controlled folder access by using any of these methods:
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-* Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+* Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
* System Center Endpoint Protection **Allow users to add exclusions and overrides**
-For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
+For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
## Windows Security app
@@ -95,7 +95,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
* **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 2322ed9300..298ace459d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -102,7 +102,7 @@ You can use the following procedure to enable network protection on domain-joine
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
* **Block** - Users will not be able to access malicious IP addresses and domains
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index d548e9bede..bbcbd77dcc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -34,14 +34,14 @@ These capabilities help prevent attacks and exploitations from infecting your or
- [Evaluate exploit protection](./evaluate-exploit-protection.md)
- [Evaluate network protection](./evaluate-exploit-protection.md)
- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
-- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## Evaluate next generation protection
Next gen protections help detect and block the latest threats.
-- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+- [Evaluate antivirus](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
## See Also
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 83b638059c..4685d38d83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -107,16 +107,16 @@ The machine will automatically be onboarded to your tenant with the recommended
The following security components are pre-configured in the test machines:
- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
-- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
- [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
- [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
- [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
-- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
-- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
+- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
+- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus)
- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
>[!NOTE]
-> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+> Microsoft Defender Antivirus will be on (not in audit). If Microsoft Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 2fe02c746b..aa9e94343c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL.
17 |
Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable. |
An error occurred with the Windows telemetry service. |
-Ensure the diagnostic data service is enabled.
+ | Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines. |
@@ -198,8 +198,8 @@ See Onboard Windows 10 machines.
Ensure real-time antimalware protection is running properly.
@@ -208,7 +208,7 @@ Ensure real-time antimalware protection is running properly.
28 |
Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable. |
An error occurred with the Windows telemetry service. |
-Ensure the diagnostic data service is enabled.
+ | Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines. |
@@ -220,8 +220,8 @@ See Onboard Windows 10 machines
Ensure real-time antimalware protection is running properly.
@@ -249,7 +249,7 @@ If the identifier does not persist, the same machine might appear twice in the p
34 |
Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable. |
An error occurred with the Windows telemetry service. |
-Ensure the diagnostic data service is enabled.
+ | Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 machines. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
index d4be39d220..7f62a2a426 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -30,7 +30,7 @@ Feedback-loop blocking, also referred to as rapid protection, is a component of
## How feedback-loop blocking works
-When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
+When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold.
@@ -47,7 +47,7 @@ If your organization is using Microsoft Defender ATP, feedback-loop blocking is
- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index d34f5a6332..5c7423def3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -82,8 +82,8 @@ Follow theses actions to correct known issues related to a misconfigured machine
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
-- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
-If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
+- [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
+If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index 33337c0f38..f150156c0e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -26,7 +26,7 @@ ms.topic: article
## API description
Retrieves a collection of Alerts.
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 7e0983fb5f..c5927c9a88 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -56,7 +56,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe
Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
-
+
Select the type of exclusion that you wish to add and follow the prompts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index f1928bc4d1..ebaa93dac7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -51,20 +51,20 @@ To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
- 
+ 
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
- 
+ 
> [!IMPORTANT]
> You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
- 
+ 
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
- 
+ 
The installation proceeds.
@@ -100,7 +100,7 @@ The installation proceeds.
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
- 
+ 
## How to Allow Full Disk Access
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 08235662b7..cf50d3ac04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -63,7 +63,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
- 
+ 
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
@@ -110,11 +110,11 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
1. Confirm device management.
-
+
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
-
+
2. Select **Continue** and complete the enrollment.
@@ -122,7 +122,7 @@ You may now enroll more devices. You can also enroll them later, after you have
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
+
## Create System Configuration profiles
@@ -131,7 +131,7 @@ You may now enroll more devices. You can also enroll them later, after you have
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
- 
+ 
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
@@ -306,7 +306,7 @@ You may now enroll more devices. You can also enroll them later, after you have
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
+
## Publish application
@@ -322,38 +322,38 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
- 
+ 
7. Select **OK** and **Add**.
- 
+ 
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
- 
+ 
9. Change **Assignment type** to **Required**.
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
- 
+ 
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
- 
+ 
## Verify client device state
1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
- 
- 
+ 
+ 
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- 
+ 
3. You should also see the Microsoft Defender icon in the top-right corner:
- 
+ 
## Troubleshooting
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index da29d3b4a2..32d0727488 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -65,7 +65,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
- 
+ 
6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
@@ -108,7 +108,7 @@ To approve the kernel extension:
1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
2. Use **UBF8T346G9** for Team Id.
- 
+ 
### Privacy Preferences Policy Control
@@ -124,7 +124,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT
3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`.
4. Set app or service to SystemPolicyAllFiles and access to Allow.
- 
+ 
#### Configuration Profile's Scope
@@ -132,7 +132,7 @@ Configure the appropriate scope to specify the devices that will receive the con
Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target.
-
+
Save the **Configuration Profile**.
@@ -152,7 +152,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific
1. Create a package in **Settings > Computer Management > Packages**.
- 
+ 
2. Upload the package to the Distribution Point.
3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_.
@@ -161,7 +161,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific
Your policy should contain a single package for Microsoft Defender.
-
+
Configure the appropriate scope to specify the computers that will receive this policy.
@@ -176,12 +176,12 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA
- Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
- 
- 
+ 
+ 
After a moment, the device's User Approved MDM status will change to **Yes**.
- 
+ 
You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages.
@@ -196,17 +196,17 @@ You can monitor deployment status in the **Logs** tab:
- **Pending** means that the deployment is scheduled but has not yet happened
- **Completed** means that the deployment succeeded and is no longer scheduled
-
+
### Status on client device
After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**.
-
+
Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
-
+
You can monitor policy installation on a device by following the JAMF log file:
@@ -279,12 +279,12 @@ This script removes Microsoft Defender ATP from the /Applications directory:
echo "Done!"
```
-
+
### Policy
Your policy should contain a single script:
-
+
Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index bda42ad846..f7626685ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -87,6 +87,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
+|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index bbf4825f45..04021812ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -29,7 +29,7 @@ Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to
If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
- 
+ 
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
@@ -56,7 +56,7 @@ If less than 30 minutes have passed since the product was installed, navigate to
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:
-
+
In this case, you need to perform the following steps to trigger the approval flow again.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 3d1a203e82..fccc1b4442 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -37,7 +37,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**.
- 
+ 
- From the Terminal. For security purposes, this operation requires elevation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 33e4268575..782c6a98e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -27,7 +27,7 @@ Microsoft regularly publishes software updates to improve performance, security,
To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
-
+
If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index adc8b53f70..e2f2b119a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -61,7 +61,7 @@ The report is made up of cards that display the following machine attributes:
- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
-- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus.
+- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Microsoft Defender Antivirus.
- **OS platforms**: shows the distribution of OS platforms that exists within your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index e570e0634a..f243b53767 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -53,7 +53,13 @@ The risk level reflects the overall risk assessment of the machine based on a co
### Exposure level
-The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations.
+The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation.
+
+If the exposure level says "No data available," there are a few reasons why this may be the case:
+
+- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed
+- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md)
+- Device with stale agent (very unlikely)
### OS Platform
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3c7b1fa724..531278a14a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -76,7 +76,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
* URL - wildcard supported
* Command line - wildcard supported
-3. Select the **Trigerring IOC**.
+3. Select the **Triggering IOC**.
4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index 6c323a4a7a..e3e6a5d05e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -70,7 +70,7 @@ There are two ways you can create indicators for files:
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
@@ -160,7 +160,7 @@ You can create indicators for certificates. Some common use cases include:
It's important to understand the following requirements prior to creating indicators for certificates:
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- The virus and threat protection definitions must be up-to-date.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 8f19799fd0..eb5b02f1ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -87,7 +87,7 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
+**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index baef5fe6ab..3bbf64e500 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -40,15 +40,23 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
+> [!NOTE]
+> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
+
+Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
+
+- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
+- Microsoft Defender ATP for Servers (one per covered Server)
+
+> [!NOTE]
+> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
+
For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
-For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
-
-
## Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
- Microsoft Edge
@@ -165,25 +173,25 @@ For more information on additional proxy configuration settings, see [Configure
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-## Windows Defender Antivirus configuration requirement
-The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
+## Microsoft Defender Antivirus configuration requirement
+The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
+You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
+When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
-If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
+If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
> [!NOTE]
-> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
-For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
-If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.
+## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
+If you're running Microsoft Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 26080c90cd..874368fd85 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -46,9 +46,9 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
-Windows 10 version | Windows Defender Antivirus
+Windows 10 version | Microsoft Defender Antivirus
-|-
-Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
## Review network protection events in the Microsoft Defender ATP Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 5b7477d473..30538a9a58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -34,7 +34,8 @@ Offboard machine from Microsoft Defender ATP.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
>[!Note]
-> This does not support offboarding macOS Devices.
+> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
+> This API is not supported on MacOS or Linux devices.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 51d5efdc49..b1e6285e7e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -34,7 +34,7 @@
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
-### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+### [Next generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
### [Endpoint detection and response]()
@@ -72,7 +72,7 @@
###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines)
-###### [Run Windows Defender Antivirus scan on machines](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines)
###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center)
@@ -158,7 +158,7 @@
###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-##### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+##### [Evaluate next generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
### [Access the Microsoft Defender Security Center Community Center](community.md)
@@ -204,95 +204,95 @@
### [Configure next generation protection]()
-#### [Configure Windows Defender Antivirus features](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection]()
-##### [Understand cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
-##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
-##### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
-##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
-##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
+##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
+##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
+##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
#### [Configure behavioral, heuristic, and real-time protection]()
-##### [Configuration overview](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
-##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
+##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-#### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
#### [Antivirus compatibility]()
-##### [Compatibility charts](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic antivirus scanning](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
+##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
#### [Deploy, manage updates, and report on antivirus]()
-##### [Using Windows Defender Antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
##### [Deploy and enable antivirus]()
-###### [Preparing to deploy](../windows-defender-antivirus/deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
+###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
##### [Report on antivirus protection]()
-###### [Review protection status and aqlerts](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md)
+###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md)
##### [Manage updates and apply baselines]()
-###### [Learn about the different kinds of updates](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and Security intelligence updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
#### [Customize, initiate, and review the results of scans and remediation]()
-##### [Configuration overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
+##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
-#### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
#### [Manage antivirus in your business]()
-##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage antivirus](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage antivirus](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
#### [Manage scans and remediation]()
-##### [Management overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure antivirus exclusions on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-##### [Configure scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
-##### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md)
+##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
#### [Manage next generation protection in your business]()
-##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use Group Policy settings to manage next generation protection](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+##### [Use Group Policy settings to manage next generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage next generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
@@ -525,4 +525,4 @@
#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
-### [Troubleshoot next generation protection issues](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
+### [Troubleshoot next generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 5ac688bcec..8e7680a3be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -51,7 +51,7 @@ Microsoft Defender ATP integrates with System Center Endpoint Protection to prov
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
-- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud)
+- Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud)
## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index c304bcfd54..37c447d3fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 5d98e6652f..2fb1181ee0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -234,7 +234,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
needs on how Antivirus is configured.
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+ [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 2b029e2725..e949cd7986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -33,12 +33,12 @@ Help reduce your attack surfaces, by minimizing the places where your organizati
Article | Description
-|-
-[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus).
-[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus).
+[Hardware-based isolation](../microsoft-defender-application-guard/md-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
-[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus)
+[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus)
[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content.
-[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus)
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 344d125399..7b7ae31f81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -25,6 +25,6 @@ Hardware-based isolation helps protect system integrity in Windows 10 and is int
| Feature | Description |
|------------|-------------|
-| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
+| [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
| [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index db2e81192e..d14ef73895 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -42,7 +42,7 @@ When you open the portal, you'll see:
> [!NOTE]
-> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
+> Malware related detections will only appear if your machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
@@ -81,7 +81,7 @@ Icon | Description
| Not remediated – Threat not removed from the machine.
| Indicates events that triggered an alert in the **Alert process tree**.
| Machine icon
-| Windows Defender Antivirus events
+| Microsoft Defender Antivirus events
| Windows Defender Application Guard events
| Windows Defender Device Guard events
| Windows Defender Exploit Guard events
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 83b69c2140..343d68bc0f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -172,7 +172,7 @@ how the endpoint security suite should be enabled.
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). |3 |
+| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 3e320c90a9..fc6cb7176a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -145,7 +145,7 @@ Appendix section in this document for the URLs Whitelisting or on
Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
> [!NOTE]
-> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus).
+> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
**Manual static proxy configuration:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 5989682e15..408df1d9a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -62,7 +62,7 @@ You can contain an attack in your organization by stopping the malicious process
>
> - The machine you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
-> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
@@ -136,7 +136,7 @@ You can prevent further propagation of an attack in your organization by banning
>[!IMPORTANT]
>
->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
>
>- The Antimalware client version must be 4.18.1901.x or later.
>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index a6b23d0ed7..8fbea48837 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -110,13 +110,13 @@ The package contains the following folders:
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
-## Run Windows Defender Antivirus scan on machines
+## Run Microsoft Defender Antivirus scan on machines
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
>[!IMPORTANT]
>- This action is available for machines on Windows 10, version 1709 or later.
->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+>- A Microsoft Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
@@ -130,7 +130,7 @@ In addition to containing an attack by stopping malicious processes, you can als
>[!IMPORTANT]
> - This action is available for machines on Windows 10, version 1709 or later.
-> - This feature is available if your organization uses Windows Defender Antivirus.
+> - This feature is available if your organization uses Microsoft Defender Antivirus.
> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index 10a0f81607..3df06ec29a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -24,7 +24,7 @@ ms.topic: article
## API description
-Initiate Windows Defender Antivirus scan on a machine.
+Initiate Microsoft Defender Antivirus scan on a machine.
## Limitations
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index e473635682..2dfdb89168 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -39,7 +39,7 @@ Run antivirus scan | Remotely initiate an antivirus scan to help identify and re
Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
Request sample | Run this call to request a sample of a file from a specific machine. The file will be collected from the machine and uploaded to a secure storage.
Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-Unblock file | Allow a file run in the organization using Windows Defender Antivirus.
+Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
Get package SAS URI | Run this to get a URI that allows downloading an investigation package.
Get MachineAction object | Run this to get MachineAction object.
Get MachineActions collection | Run this to get MachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index ed130a1720..5c669d24fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -46,9 +46,9 @@ Attack surface reduction rules will only work on devices with the following cond
- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-- [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 31804e546b..ea417b545a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -42,7 +42,7 @@ See the topic [Review events and errors using Event Viewer](event-error-codes.md
If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
-For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
## Known issues with regional formats
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 9c2e5cfdff..2ee2db32a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -43,9 +43,9 @@ Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
+> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
## Use audit mode
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 7d6e7647cc..c8c682d83f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -71,7 +71,7 @@ Event ID | Error Type | Resolution steps
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
-15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
+15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
@@ -131,7 +131,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection)
-- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
+- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
### View agent onboarding errors in the machine event log
@@ -244,7 +244,7 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic.
-### Ensure that Windows Defender Antivirus is not disabled by a policy
+### Ensure that Microsoft Defender Antivirus is not disabled by a policy
**Problem**: The Microsoft Defender ATP service does not start after onboarding.
**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
@@ -267,7 +267,7 @@ If the verification fails and your environment is using a proxy to connect to th
1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
2. Ensure that the value ```DisableAntiSpyware``` is not present.
- 
+ 
## Troubleshoot onboarding issues on a server
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 7153eaffb1..7ac4761b32 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -58,7 +58,7 @@ Once you are in the Software inventory page and have opened the flyout panel by
## Software evidence
-We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software.
+We now show evidence of where we detected a specific software on a machine from the registry, disk or both.
You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence."
From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
@@ -86,4 +86,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index caa1caf419..963c08c5ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -63,7 +63,7 @@ For more information preview features, see [Preview features](https://docs.micro
## September 2019
-- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
+- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
@@ -127,10 +127,10 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
- Block Adobe Reader from creating child processes
- Block Office communication application from creating child processes.
-- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Windows Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
- - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
+ - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
@@ -166,9 +166,9 @@ You can now block untrusted processes from writing to disk sectors using Control
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
-- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
-Windows Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
+Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
+ Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 973fe53199..f13b6bff37 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -51,7 +51,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites
- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
-- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
+- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index e5fa9cb4bc..6356278506 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -61,7 +61,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
-| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
+| **Microsoft Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox antimalware solution. Microsoft Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
| **UEFI Secure Boot**
helps protect
the platform from
boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) |
@@ -88,23 +88,23 @@ For Windows 10, Microsoft improved SmartScreen (now called Windows Defender Sma
For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
-### Windows Defender Antivirus
+### Microsoft Defender Antivirus
-Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
+Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
-- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content.
+- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
-- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
+- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
-- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
+- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
-- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution.
+- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution.
-For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server).
+For more information, see [Windows Defender in Windows 10](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server).
For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index 3aa61ca9b4..1c74391497 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 06/27/2019
+ms.date: 05/29/2020
---
# Domain member: Maximum machine account password age
@@ -42,8 +42,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
-1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
-2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 7917efbce4..b57e36e03e 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -20,18 +20,18 @@ ms.date: 04/19/2017
# Minimum password length
**Applies to**
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
## Reference
-The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
+The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 20 characters, or you can establish that no password is required by setting the number of characters to 0.
### Possible values
-- User-specified number of characters between 0 and 14
-- Not defined
+- User-specified number of characters between 0 and 20
+- Not defined
### Best practices
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 7 characters|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | 0 characters|
-| Domain controller effective default settings | 7 characters|
-| Member server effective default settings | 7 characters|
-| Effective GPO default settings on client computers | 0 characters|
-
+| Default domain policy| 7 characters|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | 0 characters|
+| Domain controller effective default settings | 7 characters|
+| Member server effective default settings | 7 characters|
+| Effective GPO default settings on client computers | 0 characters|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -80,8 +80,9 @@ Configure the **** policy setting to a value of 8 or more. If the number of char
In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
->**Note:** Some jurisdictions have established legal requirements for password length as part of establishing security regulations.
-
+> [!NOTE]
+> Some jurisdictions have established legal requirements for password length as part of establishing security regulations.
+
### Potential impact
Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 5f46ca3685..f5a0e5c08f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -22,6 +22,7 @@ ms.author: dansimp
- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed
- Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 56613b0b02..2e91b3b1b6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -43,7 +43,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
### Best practices
-- Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
+- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
### Location
@@ -84,11 +84,11 @@ Unsigned network traffic is susceptible to man-in-the-middle attacks in which an
### Countermeasure
-Configure the **Network security: LDAP server signing requirements** setting to **Require signature**.
+Configure the **Network security: LDAP client signing requirements** setting to **Require signing**.
### Potential impact
-If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.
+If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**.
## Related topics
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 017b3050a2..387aca9327 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -20,7 +20,7 @@ ms.author: dansimp
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so.
-Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
+Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
@@ -189,7 +189,7 @@ We recommend customers that have not yet installed the security update [MS17-010
- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
-[Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
+[Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Microsoft Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
deleted file mode 100644
index c69288aada..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Manage Windows Defender in your business
-description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV
-keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Manage Windows Defender Antivirus in your business
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-You can manage and configure Windows Defender Antivirus with the following tools:
-
-- Microsoft Intune
-- Microsoft Endpoint Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-- Windows Management Instrumentation (WMI)
-- The mpcmdrun.exe utility
-
-The articles in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
-
-## In this section
-
-Article | Description
----|---
-[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
-[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
-[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
-[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
-[Manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender Antivirus
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
deleted file mode 100644
index e0805ca3fb..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Set up exclusions for Windows Defender AV scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 03/12/2020
-ms.reviewer:
-manager: dansimp
----
-
-# Configure and validate exclusions for Windows Defender Antivirus scans
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
-
->[!WARNING]
->Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
-
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
-
-## Related articles
-
-[Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
deleted file mode 100644
index 5f0b5efdbe..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Remediate and resolve infections detected by Windows Defender Antivirus
-description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-keywords: remediation, fix, remove, threats, quarantine, scan, restore
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Configure remediation for Windows Defender Antivirus scans
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
-
-This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-
-You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings.
-
-## Configure remediation options
-
-You can configure how remediation works with the Group Policy settings described in this section.
-
-To configure these settings:
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
-
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
-Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
-Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
-Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
-Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
-Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
-
-> [!IMPORTANT]
-> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
->
-> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md).
->
-> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
-
-Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings.
-
-## Related topics
-
-- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
-- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
deleted file mode 100644
index 86857fc378..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Configure Windows Defender Antivirus features
-description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
-keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Configure Windows Defender Antivirus features
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-You can configure Windows Defender Antivirus with a number of tools, including:
-
-- Microsoft Intune
-- Microsoft Endpoint Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-- Windows Management Instrumentation (WMI)
-
-The following broad categories of features can be configured:
-
-- Cloud-delivered protection
-- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
-- How end-users interact with the client on individual endpoints
-
-The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
-
-You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
-
-## In this section
-Topic | Description
-:---|:---
-[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
-[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
-[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
deleted file mode 100644
index 3162bb5114..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans.
-
-## In this section
-
-Topic | Description
----|---
-[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
deleted file mode 100644
index bf74b6893b..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Deploy and enable Windows Defender Antivirus
-description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
-keywords: deploy, enable, Windows Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Deploy and enable Windows Defender Antivirus
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection.
-
-See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
-
-Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
-
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
-
-## Related topics
-
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
deleted file mode 100644
index f9457d3f21..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
+++ /dev/null
@@ -1,68 +0,0 @@
-
-# [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-
-## [Windows Defender AV in the Microsoft Defender Security Center app](windows-defender-security-center-antivirus.md)
-
-## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
-
-## [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md)
-### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-windows-defender-antivirus.md)
-
-
-## [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
-
-
-## [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
-#### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
-### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
-#### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
-### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-#### [Manage protection and Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
-#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-#### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-
-## [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
-### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-#### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
-#### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
-#### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
-#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
-#### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-
-
-## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
-### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-### [Configure and run scans](run-scan-windows-defender-antivirus.md)
-### [Review scan results](review-scan-results-windows-defender-antivirus.md)
-### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
-
-
-## [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
-
-
-
-## [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
-### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
-### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
-### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
-### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
deleted file mode 100644
index 4bf7025062..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
-description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
-keywords: windows defender antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer: shwjha
-manager: dansimp
-ms.custom: nextgen
----
-
-# Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-
-Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-
-
-To take advantage of the power and speed of these next-generation technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
-
->[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action:
-
-
-
-To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video:
-
-
-
-Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
-
-- [Why Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/)
-- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)
-- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/)
-- [Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/)
-- [Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/)
-
-## Get cloud-delivered protection
-
-Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
-
-Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
-
-|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period |
-|---------|---------|---------|---------|
-|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No |
-|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
-|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
-|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
-|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
-|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
-
-You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
-
-
-## Tasks
-
-- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-
-- [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
-
-- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-
-- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
-
-- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md). Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
deleted file mode 100644
index bfca4b0430..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: "Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection"
-description: "For best results, use Windows Defender Antivirus together with your other Microsoft offerings."
-keywords: windows defender, antivirus, third party av
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.topic: article
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
----
-
-# Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP).
-
-Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
-
-## 11 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
-
-| |Advantage |Why it matters |
-|--|--|--|
-|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
-|2|Threat analytics and your configuration score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
-|3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
-|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
-|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
-|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
-|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
-|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
-|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
-|10|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|11|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
-
-
-## Learn more
-
-[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
-
-[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
deleted file mode 100644
index c758cea607..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Windows Defender Antivirus compatibility with other security products
-description: Windows Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
-keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
----
-
-# Windows Defender Antivirus compatibility
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Overview
-
-Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
-- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Windows Defender Antivirus automatically goes into disabled mode.
-- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Windows Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
-
-## Antivirus and Microsoft Defender ATP
-
-The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
-
-
-| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
-|------|------|-------|-------|
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
-| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
-| Windows 10 | Windows Defender Antivirus | No | Active mode |
-| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
-| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] |
-| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode |
-| Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode |
-
-(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
-
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
-- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: ForceDefenderPassiveMode
-- Value: 1
-
-See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
-
-> [!IMPORTANT]
-> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
->
-> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
->
-> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
-
-## Functionality and features available in each state
-
-The following table summarizes the functionality and features that are available in each state:
-
-|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
-|--|--|--|--|--|--|
-|Active mode
|Yes |No |Yes |Yes |Yes |
-|Passive mode |No |No |Yes |No |Yes |
-|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
-|Automatic disabled mode |No |Yes |No |No |No |
-
-- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
-- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
-- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
-
-## Keep the following points in mind
-
-If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-
-When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
-
-In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
-If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
-
-> [!WARNING]
-> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
-
-
-## Related topics
-
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
-- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
deleted file mode 100644
index 79ba16ef12..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
-description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
-keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 02/25/2020
-ms.reviewer:
-manager: dansimp
-ms.custom: nextgen
----
-
-# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
-
-**Applies to:**
-
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Windows Defender Antivirus: Your next-generation protection
-
-Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
-
-- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-windows-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
-- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
-- [Dedicated protection and product updates](manage-updates-baselines-windows-defender-antivirus.md). This includes updates related to keeping Windows Defender Antivirus up to date.
-
-## Try a demo!
-
-Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
-- Cloud-delivered protection
-- Block at first sight (BAFS) protection
-- Potentially unwanted applications (PUA) protection
-
-## Minimum system requirements
-
-Windows Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
-
-- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
-- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
-
-## Configure next-generation protection services
-
-For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md).
-
-> [!Note]
-> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md).
-
-## Related articles
-
-- [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md)
-
-- [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
deleted file mode 100644
index b8fbc245ce..0000000000
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-title: Windows Defender Offline in Windows 10
-description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
-keywords: scan, defender, offline
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
----
-
-# Run and review the results of a Windows Defender Offline scan
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
-
-You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
-
-In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
-
-## prerequisites and requirements
-
-Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
-
-For more information about Windows 10 requirements, see the following topics:
-
-- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
-
-- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
-
-> [!NOTE]
-> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
-
-To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
-
-## Windows Defender Offline updates
-
-Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
-
-> [!NOTE]
-> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
-
-See the [Manage Windows Defender Antivirus Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information.
-
-## Usage scenarios
-
-In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
-
-The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
-
-The prompt can occur via a notification, similar to the following:
-
-
-
-The user will also be notified within the Windows Defender client:
-
-
-
-In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
-
-Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-
-
-
-## Configure notifications
-
-
-Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications.
-
-For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic.
-
-## Run a scan
-
-> [!IMPORTANT]
-> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
-
-You can run a Windows Defender Offline scan with the following:
-
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- The Windows Security app
-
-
-
-### Use PowerShell cmdlets to run an offline scan
-
-Use the following cmdlets:
-
-```PowerShell
-Start-MpWDOScan
-```
-
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to run an offline scan
-
-Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
-
-The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
-
-```WMI
-wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
-```
-
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-### Use the Windows Defender Security app to run an offline scan
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
-
-
-3. Select **Windows Defender Offline scan** and click **Scan now**.
-
-
- > [!NOTE]
- > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
-
-
-## Review scan results
-
-Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
-
-
-## Related articles
-
-- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index e702402c80..ebb66d445a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/14/2019
+ms.date: 05/29/2020
---
# Manage Packaged Apps with Windows Defender Application Control
@@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in
1. Get the app identifier for an installed package
```powershell
- $package = Get-AppxPackage -name
+ $package = Get-AppxPackage -name **
```
+ Where the name of the app is surrounded by asterisks, for example *windowsstore*
+
2. Make a rule by using the New-CIPolicyRule cmdlet
```powershell
@@ -119,9 +121,9 @@ If the app you intend to block is not installed on the system you are using the
3. Copy the GUID in the URL for the app
- Example: the GUID for the Microsoft To-Do app is 9nblggh5r558
- - https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab
+ - `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab`
4. Use the GUID in the following REST query URL to retrieve the identifiers for the app
- - Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata
+ - Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata`
- The URL will return:
```
@@ -141,4 +143,4 @@ The method for allowing specific packaged apps is similar to the method outlined
$Rule = New-CIPolicyRule -Package $package -allow
```
-Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.
+Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 1fe1a3c6b0..54d8ea8492 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -62,7 +62,7 @@ Organizations with well-defined, centrally-managed app management and deployment
| - | - |
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
-| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Windows Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
+| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed?
diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md
deleted file mode 100644
index 9e42b2b691..0000000000
--- a/windows/security/threat-protection/windows-defender-application-guard/TOC.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# [Windows Defender Application Guard](wd-app-guard-overview.md)
-
-## [System requirements](reqs-wd-app-guard.md)
-## [Install WDAG](install-wd-app-guard.md)
-## [Configure WDAG policies](configure-wd-app-guard.md)
-## [Test scenarios](test-scenarios-wd-app-guard.md)
-## [FAQ](faq-wd-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 5020c63596..61bdb73f63 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -1,6 +1,6 @@
---
-title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
-description: Learn about the available Group Policy settings for Windows Defender Application Guard.
+title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,12 +14,12 @@ manager: dansimp
ms.custom: asr
---
-# Configure Windows Defender Application Guard policy settings
+# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
Application Guard uses both network isolation and application-specific settings.
@@ -36,7 +36,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
-|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Proxies should be added to this list. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
## Network isolation settings wildcards
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index d84d263388..cb2c999276 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -34,7 +34,7 @@ You can add information about your organization in a contact card to the Windows
-This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
+This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 27bf7e7c31..c215717a36 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -36,7 +36,7 @@ In some cases, it may not be appropriate to show these notifications, for exampl
There are two levels to hiding notifications:
-1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus ran in the past week
+1. Hide non-critical notifications, such as regular updates about the number of scans Microsoft Defender Antivirus ran in the past week
2. Hide all notifications
If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting will have no effect.
@@ -111,35 +111,35 @@ This can only be done in Group Policy.
| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |
| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |
-| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Windows Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |
-| Remediation failure | Windows Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |
-| Follow-up action (restart & scan) | Windows Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |
-| Follow-up action (restart) | Windows Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |
-| Follow-up action (Full scan) | Windows Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |
-| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Windows Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |
-| OS support ending warning | Support for your version of Windows is ending. When this support ends, Windows Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |
-| OS support ended, device at risk | Support for your version of Windows has ended. Windows Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |
-| Summary notification, items found | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |
-| Summary notification, items found, no scan count | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |
-| Summary notification, **no** items found, scans performed | Windows Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |
-| Summary notification, **no** items found, no scans | Windows Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |
-| Scan finished, manual, threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |
-| Scan finished, manual, **no** threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |
-| Threat found | Windows Defender Antivirus found threats. Get details. | CRITICAL | No |
-| LPS on notification | Windows Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |
+| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |
+| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |
+| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |
+| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |
+| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |
+| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |
+| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |
+| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |
+| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |
+| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |
+| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |
+| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |
+| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |
+| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |
| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |
| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |
-| Ransomware specific detection | Windows Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |
+| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |
| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |
| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |
| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |
| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |
| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |
| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |
-| PUA notification | Your IT settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |
-| PUA notification, customized | _Company_ caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |
+| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |
+| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |
| Network isolation ended | | | No |
| Network isolation ended, customized | | | No |
| Restricted access ended | | | No |
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 4c160a092a..df2646c94e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Virus and threat protection in the Windows Security app
-description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -24,14 +24,14 @@ manager: dansimp
- Windows 10, version 1703 and later
-The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products.
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the following:
-- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
-- [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md)
+- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
- [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a)
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 56b6759416..d6c9634430 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -40,9 +40,9 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a
You can't uninstall the Windows Security app, but you can do one of the following:
-- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
+- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
- Hide all of the sections on client computers (see below).
-- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
@@ -83,7 +83,7 @@ You can find more information about each section, including options for configur
>
>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
>
->Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+>Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
>
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
@@ -103,4 +103,4 @@ Disabling any of the individual features (through Group Policy or other manageme
> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Security app.
-For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 873ee01d4f..38155aa557 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -19,7 +19,7 @@ ms.date: 08/17/2017
# Create an Authentication Request Rule
-**Applies to**
+**Applies to:**
- Windows 10
- Windows Server 2016
@@ -27,9 +27,9 @@ After you have configured IPsec algorithms and authentication methods, you can c
**Administrative credentials**
-To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs.
-To create the authentication request rule
+To create the authentication request rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@@ -39,9 +39,10 @@ To create the authentication request rule
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
- >**Caution:** Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
+ > [!CAUTION]
+ > Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
-5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
+5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
@@ -49,7 +50,9 @@ To create the authentication request rule
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
- 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
+ 4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario.
+
+6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
@@ -75,18 +78,19 @@ To create the authentication request rule
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
- >**Important:** Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
+ > [!IMPORTANT]
+ > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
-6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
+7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
-7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
+8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
- - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
+ - On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
-8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
+9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index ba9cedf313..74dacfe608 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f
## Reviewing your Windows Defender Firewall with Advanced Security Design
-If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment.
-- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
+### Decide which devices apply to which GPO
- - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
- - [Planning the GPOs](planning-the-gpos.md)
+- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- - [Planning GPO Deployment](planning-gpo-deployment.md)
+- [Planning the GPOs](planning-the-gpos.md)
-- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
+- [Planning GPO Deployment](planning-gpo-deployment.md)
-- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
+### Configure communication between members and devices
-- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
+Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
-- The requirement that all devices that must communicate with each other share a common set of:
+### Exempt domain controllers from IPsec authentication requirements
- - Authentication methods
+It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
- - Main mode key exchange algorithms
+### Configure IPsec authentication rules
- - Quick mode data integrity algorithms
+The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated.
- If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+### Make sure all devices can communicate with each other
+
+For all devices to communicate with each other, they must share a common set of:
+
+- Authentication methods
+
+- Main mode key exchange algorithms
+
+- Quick mode data integrity algorithms
+
+If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+
+## Deploy your Windows Firewall Design Plan
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 727cc608be..37619d2d6f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -117,12 +117,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat
Several new features and management options have been added to Windows Defender in this version of Windows 10.
-- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
+- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
### Windows Defender Advanced Threat Protection (ATP)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index d409feafd2..d39a343109 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -72,25 +72,25 @@ But these protections can also be configured separately. And, unlike HVCI, code
### Endpoint detection and response
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
- Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+ Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
- We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
-- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
-- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
-- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
+ We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on:
+- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
+- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus)
- Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).
+ Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus).
New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include:
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
+- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
- We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+ We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
@@ -226,9 +226,9 @@ An issue, known as “SMBLoris�?, which could result in denial of service, has
Windows Defender Security Center is now called **Windows Security Center**.
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**.
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products.
WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
@@ -387,7 +387,7 @@ Update Compliance is a solution built using OMS Log Analytics that provides info
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
### Device Health
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 2b6f691d44..f3e4867a56 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -103,12 +103,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat
### Windows Defender
Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
-- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
+- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
### Windows Defender Advanced Threat Protection (ATP)
With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index bcec94de57..8421a263ce 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -107,7 +107,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
- **Investigation**
- Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
+ Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
Other investigation enhancements include:
- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
@@ -127,28 +127,28 @@ You can read more about ransomware mitigations and detection capability in Windo
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
-### Windows Defender Antivirus
-Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+### Microsoft Defender Antivirus
+Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
-- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
-- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
-- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
+- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
+- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus)
Some of the highlights of the new library include:
-- [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus)
-- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus)
+- [Evaluation guide for Windows Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus)
+- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus)
New features for Windows Defender AV in Windows 10, version 1703 include:
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
+- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
-In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 17f5cb4dfe..468c6ddce9 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -130,7 +130,7 @@ Upgrade Readiness provides insights into application and driver compatibility is
### Update Compliance
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
### Device Health
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index acd7f43bb2..93bcfb411b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -171,9 +171,9 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
-### Windows Defender Antivirus
+### Microsoft Defender Antivirus
-Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
### Windows Defender Exploit Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index e5ab713e82..ba0090d559 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -107,9 +107,9 @@ See the following example:
Windows Defender Security Center is now called **Windows Security Center**.
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**.
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products.
WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 795fbe2644..aed8001e95 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -83,7 +83,7 @@ The draft release of the [security configuration baseline settings](https://blog
### Microsoft Defender Advanced Threat Protection (ATP):
- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers.
- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
@@ -138,7 +138,7 @@ This new feature is displayed under the Device Security page with the string “
- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
-- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
+- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 60ca36e9dd..27fc2277eb 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -60,10 +60,6 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
## Virtualization
-### Containers on Windows
-
-This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios.
-
### Windows Sandbox
[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index e231fecb9a..a722dcf90c 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -74,7 +74,7 @@ If you configure the language settings in the Autopilot profile and the device i
### Microsoft Endpoint Manager
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuraton Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new).
@@ -121,13 +121,9 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
## Virtualization
-### Containers on Windows
-
-This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios.
-
### Windows Sandbox
-[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bugfixes and enables even more control over configuration.
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration.
[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
@@ -183,7 +179,7 @@ For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpda
### Windows Search
-Windows Search is [improved](https://insider.windows.com/community-news/desktop-search/) in several ways.
+Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm).
### Virtual Desktops
@@ -235,6 +231,8 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
## See Also
+[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
@@ -243,4 +241,3 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
-[What’s new for IT pros in Windows 10, version 2004](https://aka.ms/whats-new-in-2004): Windows IT Pro blog.
| |
7