Merge branch 'master' into repo_sync_working_branch

.openpublishing.redirection.json

@@ -15654,6 +15654,11 @@
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
       "redirect_document_id": true
+    },
+	{
+      "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md",
+      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac",
+      "redirect_document_id": true
     },
     {
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md",

windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
-title: Enable cloud-delivered protection in Microsoft Defender Antivirus
+title: Turn on cloud-delivered protection in Microsoft Defender Antivirus
-description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
+description: Turn on cloud-delivered protection to benefit from fast and advanced protection features.
 keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -9,16 +9,16 @@ ms.sitesec: library
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
 ---
 
-# Enable cloud-delivered protection
+# Turn on cloud-delivered protection
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - Microsoft Defender Antivirus
@@ -29,55 +29,60 @@ ms.custom: nextgen
 Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
-You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets.
+
+ You can also turn it on or off in individual clients with the Windows Security app.
 
 See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
 
-There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details.
+For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md).
 
 > [!NOTE]
-> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
 
-## Use Intune to enable cloud-delivered protection
+## Use Intune to turn on cloud-delivered protection
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. Select **All services > Intune**.
+2. On the **Home** pane, select **Device configuration > Profiles**.
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
+4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.
 5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**.
-7. In the **Submit samples consent** dropdown, select one of the following:
-
-    - **Send safe samples automatically**
-    - **Send all samples automatically**
-
-        >[!NOTE]
-        > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-
-        > [!WARNING]
-        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-
-8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
 
 For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
 
-## Use Configuration Manager to enable cloud-delivered protection
+## Use Microsoft Endpoint Configuration  Manager to turn on cloud-delivered protection
 
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+    1. **High**: Applies a strong level of detection.
+    2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+    3. **Zero tolerance**: Blocks all unknown executables.
+6. Select **Review + save**, then choose **Save**.
 
-## Use Group Policy to enable cloud-delivered protection
+For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+## Use Group Policy to turn on cloud-delivered protection
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. In the **Group Policy Management Editor**, go to **Computer configuration**.
 
 3. Select **Administrative templates**.
 
 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
 
-5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
+5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
 
-6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
+6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
 
     1. **Send safe samples** (1)
     2. **Send all samples** (3)
@@ -88,18 +93,18 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
         > [!WARNING]
         > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
 
-7. Click **OK**.
+7. Select **OK**.
 
-## Use PowerShell cmdlets to enable cloud-delivered protection
+## Use PowerShell cmdlets to turn on cloud-delivered protection
 
-Use the following cmdlets to enable cloud-delivered protection:
+The following cmdlets can turn on cloud-delivered protection:
 
 ```PowerShell
 Set-MpPreference -MAPSReporting Advanced
 Set-MpPreference -SubmitSamplesConsent SendAllSamples
 ```
 
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
 
 >[!NOTE]
 > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
@@ -107,7 +112,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
 >[!WARNING]
 > Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
 
-## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
+## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
 
@@ -116,33 +121,31 @@ MAPSReporting
 SubmitSamplesConsent
 ```
 
-See the following for more information and allowed parameters:
+For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+## Turn on cloud-delivered protection on individual clients with the Windows Security app
-
-## Enable cloud-delivered protection on individual clients with the Windows Security app
 
 > [!NOTE]
 > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
 
     ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
 
 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
->[!NOTE]
+> [!NOTE]
->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
+> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
 
-## Related topics
+## Related articles
 
 - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
 - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
 - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
 - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
 - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
 - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -20,49 +20,55 @@ manager: dansimp
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
 
-
 ## Quick scan versus full scan
 
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
 
-> [!IMPORTANT] 
+> [!IMPORTANT]
-> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. 
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
 
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
 
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
 
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is  ideal if your organization is running on-demand scans.
 
->[!NOTE]
+> [!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
+> By default, quick scans run on mounted removable devices, such as USB drives.
 
-## Use Configuration Manager to run a scan
+## Use Microsoft Endpoint Configuration Manager to run a scan
 
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
+4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox)
+
+> [!TIP]
+> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
 
 ## Use the mpcmdrun.exe command-line utility to run a scan
 
 Use the following `-scan` parameter:
 
-```DOS
+```console
 mpcmdrun.exe -scan -scantype 1
 ```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
 
 ## Use Microsoft Intune to run a scan
 
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-
+2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
-2. Select **...More** and then select **Quick Scan** or **Full Scan**.
+3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
-
 
 ## Use the Windows Security app to run a scan
 
@@ -75,15 +81,14 @@ Use the following cmdlet:
 ```PowerShell
 Start-MpScan
 ```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
 
 ## Use Windows Management Instruction (WMI) to run a scan
 
-Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
+Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
+For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 ## Related articles
 

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -1,165 +0,0 @@
----
-title: Enable Microsoft Defender for Endpoint Insider Device
-description: Install and use Microsoft Defender for Endpoint (Mac).
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: 
-- m365-security-compliance 
-- m365initiative-defender-endpoint 
-ms.topic: conceptual
----
-
-# Enable Microsoft Defender for Endpoint Insider Device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
-
-> [!IMPORTANT]
-> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
-
-## Enable the Insider program with Jamf
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
-   ```XML
-       <?xml version="1.0" encoding="UTF-8"?>
-       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-       <plist version="1.0">
-       <dict>
-           <key>edr</key>
-           <dict>
-               <key>earlyPreview</key>
-               <true/>
-           </dict>
-       </dict>
-       </plist>
-   ```
-
-1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
-
-1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier.
-
-   > [!WARNING]
-   > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
-
-## Enable the Insider program with Intune
-
-1. Create configuration profile `com.microsoft.wdav.plist` with the following content:
-
-    ```XML
-       <?xml version="1.0" encoding="utf-8"?>
-       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-       <plist version="1">
-           <dict>
-               <key>PayloadUUID</key>
-               <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-               <key>PayloadType</key>
-               <string>Configuration</string>
-               <key>PayloadOrganization</key>
-               <string>Microsoft</string>
-               <key>PayloadIdentifier</key>
-               <string>com.microsoft.wdav</string>
-               <key>PayloadDisplayName</key>
-               <string>Microsoft Defender ATP settings</string>
-               <key>PayloadDescription</key>
-               <string>Microsoft Defender ATP configuration settings</string>
-               <key>PayloadVersion</key>
-               <integer>1</integer>
-               <key>PayloadEnabled</key>
-               <true/>
-               <key>PayloadRemovalDisallowed</key>
-               <true/>
-               <key>PayloadScope</key>
-               <string>System</string>
-               <key>PayloadContent</key>
-               <array>
-                   <dict>
-                       <key>PayloadUUID</key>
-                       <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                       <key>PayloadType</key>
-                       <string>com.microsoft.wdav</string>
-                       <key>PayloadOrganization</key>
-                       <string>Microsoft</string>
-                       <key>PayloadIdentifier</key>
-                       <string>com.microsoft.wdav</string>
-                       <key>PayloadDisplayName</key>
-                       <string>Microsoft Defender ATP configuration settings</string>
-                       <key>PayloadDescription</key>
-                       <string/>
-                       <key>PayloadVersion</key>
-                       <integer>1</integer>
-                       <key>PayloadEnabled</key>
-                       <true/>
-                       <key>edr</key>
-                       <dict>
-                           <key>earlyPreview</key>
-                           <true/>
-                       </dict>
-                   </dict>
-               </array>
-           </dict>
-       </plist>
-   ```
-
-1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
-
-1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
-
-1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
-
-1. Enter `com.microsoft.wdav` as the custom configuration profile name.
-
-1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1.
-
-1. Select  **OK**.
-
-1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
-
-   > [!WARNING]
-   > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
-
-## Enable the Insider program manually on a single device
-
-In terminal, run:
-
-```bash
-    mdatp --edr --early-preview true
-```
-
-For versions earlier than 100.78.0, run:
-
-```bash
-    mdatp --edr --earlyPreview true
-```
-
-## Troubleshooting
-
-### Verify you are running the correct version
-
-To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-
-To verify you are running the correct version, run `mdatp --health` on the device.
-
-* The required version is 100.72.15 or later.
-* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
-* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
-* If you are not using Office for Mac, download and run the AutoUpdate tool.
-
-### A device still does not appear on Microsoft Defender Security Center
-
-After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
-
-* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
-
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md

@@ -92,6 +92,10 @@ If you experience any installation failures, refer to [Troubleshooting installat
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
+- Audit framework (`auditd`) must be enabled.
+  >[!NOTE]
+  > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key.
+
 ### Network connections
 
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md

@@ -39,7 +39,7 @@ This topic describes how to install, configure, update, and use Defender for End
 > [!TIP]
 > If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**.
 
-To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. See [Enable Microsoft Defender for Endpoint Insider Device](endpoint-detection-response-mac-preview.md). 
+To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device.
 
 ## How to install Microsoft Defender for Endpoint for Mac
 

windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md

@@ -29,65 +29,112 @@ ms.topic: conceptual
 
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception.
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.  
 
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list.
+When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+## Permissions
+
+Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
+
+![View of exception handling permission.](images/tvm-exception-permissions.png)
 
 ## Create an exception
 
-1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md).
+Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form.  
 
-2. Select a security recommendation you would like to create an exception for, and then **Exception options**.
+![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
-![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png)
 
-3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+### Exception by device group
 
-    The following list details the justifications behind the exception options:
+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
 
-    - **Third party control** - A third party product or software already addresses this recommendation
+![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
-        - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
-    - **Alternate mitigation** - An internal tool already addresses this recommendation
-        - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
-    - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
-    - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
 
-4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+#### Filtered views
 
-## View your exceptions
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
 
-When you file for an exception from the security recommendations page, you create an exception  for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md).
+This is the button to filter by device group on any of the threat and vulnerability management pages: 
 
-The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.  
+![Showing selected device groups filter.](images/tvm-selected-device-groups.png)
 
-![Example of the exception page and filter options.](images/tvm-exception-filters.png)
+Exception view with filtered device groups:
 
-### Exception actions and statuses
+![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png)
 
-Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**.
+#### Large number of device groups
 
-The following statuses will be a part of an exception:
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
 
-- **Canceled** - The exception has been canceled and is no longer in effect  
+![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png)
-- **Expired** - The exception that you've filed is no longer in effect
-- **In effect** - The exception that you've filed is in progress
 
-### Exception impact on scores
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
 
-Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner:
+![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png)
 
-- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores.
+### Global exceptions
-- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
-- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made.
 
-The exception impact shows on both the Security recommendations page column and in the flyout pane.
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
 
-![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png)
+![Showing global exception option.](images/tvm-exception-global.png)
 
-### View exceptions in other places
+Some things to keep in mind:
 
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
 
-![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png)
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+The following list details the justifications behind the exception options:
+
+- **Third party control** - A third party product or software already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Alternate mitigation** - An internal tool already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
+## View all exceptions
+
+Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status.
+
+ Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception.
+
+
+![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png)
+
+
+## How to cancel an exception
+
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. To cancel the exception for all device groups, select the **Cancel exception** button. You can also cancel the exception for a specific device group.
+
+### Cancel the exception for a specific device group
+
+Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.
+
+![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png)
+
+
+### Cancel a global exception
+
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
+
+![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png)
+
+## View impact after exceptions are applied
+
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+![Showing customize columns options.](images/tvm-after-exceptions.png)
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
 
 ## Related topics
 

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -104,6 +104,144 @@ From the flyout, you can choose any of the following options:
 
 ### Investigate changes in device exposure or impact
 
+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+
+1. Select the recommendation and **Open software page**
+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
+3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
+
+## Request remediation
+
+The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+### Enable Microsoft Intune connection
+
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+### Remediation request steps
+
+1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
+
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.
+
+## File for exception
+
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. Only users with “exceptions handling” permissions can add exception. [Learn more about RBAC roles](user-roles.md). If your organization has device groups, you will now be able to scope the exception to specific device groups.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+### How to create an exception
+
+Select a security recommendation you would like create an exception for, and then select **Exception options**.  
+
+![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
+
+Choose the scope and justification, set a date for the exception duration, and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab.
+
+### Exception scope
+
+Exceptions can either be created for selected device groups, or for all device groups past and present.  
+
+#### Exception by device group
+
+Apply the exception to all device groups or choose specific device groups. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
+
+![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
+
+##### Filtered
+
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
+
+Button to filter by device group on any of the threat and vulnerability management pages: 
+
+![Showing selected device groups filter.](images/tvm-selected-device-groups.png)
+
+Exception view with filtered device groups:
+
+![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png)
+
+##### Large number of device groups
+
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
+
+![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png)
+
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
+
+![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png)
+
+#### Global exceptions
+
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
+
+![Showing global exception option.](images/tvm-exception-global.png)
+
+Some things to keep in mind:
+
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
+
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+The following list details the justifications behind the exception options:
+
+- **Third party control** - A third party product or software already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Alternate mitigation** - An internal tool already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
+### View all exceptions
+
+Navigate to the **Exceptions** tab in the **Remediation** page.
+
+![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-tab400.png)
+
+Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can Export. You can also view the related recommendation or cancel the exception.
+
+### How to cancel an exception
+
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception.
+
+#### Cancel the exception for a specific device group
+
+If the exception is per device group, then you will need to select the specific device group to cancel the exception for it. 
+
+![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png)
+
+A flyout will appear for the device group, and you can select **Cancel exception**.
+
+#### Cancel a global exception
+
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
+
+![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png)
+
+### View impact after exceptions are applied
+
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+![Showing customize columns options.](images/tvm-after-exceptions.png)
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
 If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.
 
 1. Select the recommendation and **Open software page**