Merged PR 2073: wdav server into client changes

wdav server into client changes

windows/threat-protection/TOC.md

@@ -82,9 +82,15 @@
 
 ##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
-### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+
 ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
 ### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
 #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
 ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
@@ -95,6 +101,8 @@
 ##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
 ##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
 ##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
 ### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
 #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
@@ -109,6 +117,8 @@
 ##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
 ##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
 ##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
 ### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
 #### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
 ##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
@@ -120,24 +130,28 @@
 #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
 #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
 #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
 ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
 ### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
 #### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
 #### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
 #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
 #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
 #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
 ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
-#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
 #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
 #### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
@@ -150,10 +164,13 @@
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
 #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
 ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+
-## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Change history for Threat Protection](change-history-for-threat-protection.md)
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)

windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md

@@ -10,14 +10,17 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
+# Configure and validate exclusions for Windows Defender AV scans (client)
 
 
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
@@ -39,6 +42,8 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen
 
 Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
 
+Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+
 >[!WARNING]
 >Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
 

windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure and validate exclusions based on file extension and folder location
@@ -18,6 +20,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 

windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure exclusions for files opened by processes
@@ -17,6 +19,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 

windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md

@@ -10,9 +10,11 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure exclusions in Windows Defender AV on Windows Server 2016
+# Configure exclusions in Windows Defender AV on Windows Server
 
 
 **Applies to:**
@@ -30,14 +32,28 @@ author: iaanw
 - PowerShell
 - Windows Management Instrumentation (WMI)
 
-If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
 
 These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
 
-You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 
+Custom exclusions take precedence over the automatic exclusions.
+
+> [!TIP]
+> Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
+
+
+## Opt out of automatic exclusions
+
+In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
 
 You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
 
@@ -58,7 +74,7 @@ You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets,
 Use the following cmdlets:
 
 ```PowerShell
-Set-MpPreference -DisableAutoExclusions
+Set-MpPreference -DisableAutoExclusions $true
 ```
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
@@ -75,9 +91,312 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
+
+
+
+## List of automatic exclusions
+The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
+
+### Default exclusions for all roles
+This section lists the default exclusions for all Windows Server 2016 roles.
+
+-   Windows "temp.edb" files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+
+    -   *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+
+-   Windows Update files or Automatic Update files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+
+-   Windows Security files:
+
+    -   *%windir%*\Security\database\\*.chk
+
+    -   *%windir%*\Security\database\\*.edb
+
+    -   *%windir%*\Security\database\\*.jrs
+
+    -   *%windir%*\Security\database\\*.log
+
+    -   *%windir%*\Security\database\\*.sdb
+
+-   Group Policy files:
+
+    -   *%allusersprofile%*\NTUser.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+
+-   WINS files:
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.chk
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.log
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.mdb
+
+    -   *%systemroot%*\System32\LogFiles\
+
+    -   *%systemroot%*\SysWow64\LogFiles\
+
+-   File Replication Service (FRS) exclusions:
+
+    -   Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+
+        -   *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+
+        -   *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+
+        -   *%windir%*\Ntfrs\jet\log\\*\\\*.log
+
+    -   FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+
+        -   *%windir%*\Ntfrs\\*\Edb\*.log
+
+    -   The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+
+        -   *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+
+    -   The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+
+        -   *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+
+    -   The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.XML
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.frx
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.log
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+
+-   Process exclusions
+
+    -   *%systemroot%*\System32\dfsr.exe
+
+    -   *%systemroot%*\System32\dfsrs.exe
+
+-   Hyper-V exclusions:
+
+    -   This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+
+        -   File type exclusions:
+
+            -   *.vhd
+
+            -   *.vhdx
+
+            -   *.avhd
+
+            -   *.avhdx
+
+            -   *.vsv
+
+            -   *.iso
+
+            -   *.rct
+
+            -   *.vmcx
+
+            -   *.vmrs
+
+        -   Folder exclusions:
+
+            -   *%ProgramData%*\Microsoft\Windows\Hyper-V
+
+            -   *%ProgramFiles%*\Hyper-V
+
+            -   *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+
+            -   *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+
+        -   Process exclusions:
+
+            -   *%systemroot%*\System32\Vmms.exe
+
+            -   *%systemroot%*\System32\Vmwp.exe
+
+-   SYSVOL files:
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adm
+
+    -   *%systemroot%*\Sysvol\Domain\\*.admx
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adml
+
+    -   *%systemroot%*\Sysvol\Domain\Registry.pol
+
+    -   *%systemroot%*\Sysvol\Domain\\*.aas
+
+    -   *%systemroot%*\Sysvol\Domain\\*.inf
+
+    -   *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+
+    -   *%systemroot%*\Sysvol\Domain\\*.ins
+
+    -   *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+
+### Active Directory exclusions
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+
+-   NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+
+    -   %windir%\Ntds\ntds.dit
+
+    -   %windir%\Ntds\ntds.pat
+
+-   The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\Res*.log
+
+    -   %windir%\Ntds\Edb*.jrs
+
+    -   %windir%\Ntds\Ntds*.pat
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\TEMP.edb
+
+-   The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+
+    -   %windir%\Ntds\Temp.edb
+
+    -   %windir%\Ntds\Edb.chk
+
+-   Process exclusions for AD DS and AD DS-related support files:
+
+    -   %systemroot%\System32\ntfrs.exe
+
+    -   %systemroot%\System32\lsass.exe
+
+### DHCP Server exclusions
+This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.mdb
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.pat
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.log
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.chk
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.edb
+
+### DNS Server exclusions
+This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
+
+-   File and folder exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.log
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.dns
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.scc
+
+    -   *%systemroot%*\System32\Dns\\*\BOOT
+
+-   Process exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\dns.exe
+
+    
+
+### File and Storage Services exclusions
+This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
+
+-   *%SystemDrive%*\ClusterStorage
+
+-   *%clusterserviceaccount%*\Local Settings\Temp
+
+-   *%SystemDrive%*\mscs
+
+### Print Server exclusions
+This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
+
+-   File type exclusions:
+
+    -   *.shd
+
+    -   *.spl
+
+-   Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+
+    -   *%system32%*\spool\printers\\*
+
+-   Process exclusions:
+
+    -   spoolsv.exe
+
+### Web Server exclusions
+This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
+
+-   Folder exclusions:
+
+    -   *%SystemRoot%*\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+
+    -   *%systemDrive%*\inetpub\logs
+
+    -   *%systemDrive%*\inetpub\wwwroot
+
+-   Process exclusions:
+
+    -   *%SystemRoot%*\system32\inetsrv\w3wp.exe
+
+    -   *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+
+    -   *%SystemDrive%*\PHP5433\php-cgi.exe
+
+### Windows Server Update Services exclusions
+This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
+
+-   *%systemroot%*\WSUS\WSUSContent
+
+-   *%systemroot%*\WSUS\UpdateServicesDBFiles
+
+-   *%systemroot%*\SoftwareDistribution\Datastore
+
+-   *%systemroot%*\SoftwareDistribution\Download
+
+
+
+
 ## Related topics
 
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md

@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus
-description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,16 +12,17 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Windows Defender Antivirus in Windows 10
+# Windows Defender Antivirus in Windows 10 and Windows Server 2016
 
 **Applies to**
 -   Windows 10
+-   Windows Server 2016
 
 Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
 
 This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
 
-For more important information about running Windows Defender AV on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
 
 Windows Defender AV can be managed with:
 - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
@@ -57,14 +58,14 @@ See the [In this library](#in-this-library) list at the end of this topic for li
 <a id="sysreq"></a>
 ## Minimum system requirements
 
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
 -   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
 -   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
 
 
 Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
 
-Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
+Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
 
 
 
@@ -73,10 +74,13 @@ Functionality, configuration, and management is largely the same when using Wind
 
 Topic | Description
 :---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
+[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection
+[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
+[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
 [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
 [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
 

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md

@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus on Windows Server 2016
-description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+description: Enable and configure Windows Defender AV on Windows Server 2016 
 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -13,7 +13,7 @@ author: iaanw
 ---
 
 
-# Windows Defender Antivirus on Windows Server
+# Windows Defender Antivirus on Windows Server 2016
 
 
 **Applies to:**
@@ -36,15 +36,124 @@ author: iaanw
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
-See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
-
 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
 
 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
 - In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
 
+This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
+
+-   [Enable the interface](#BKMK_UsingDef)
+
+-   [Verify Windows Defender AV is running](#BKMK_DefRun)
+
+-   [Update antimalware definitions](#BKMK_UpdateDef)
+
+-   [Submit Samples](#BKMK_DefSamples)
+
+-   [Configure automatic exclusions](#BKMK_DefExclusions)
+
+<a name="BKMK_UsingDef"></a>
+## Enable the interface
+By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. 
+
+You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic.
+
+The following PowerShell cmdlet will enable the interface: 
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender-GUI
+```
+
+The following cmdlet will disable the interface:
+
+```PS
+Uninstall-WindowsFeature -Name Windows-Server-Antimalware
+```
+
+> [!TIP]
+> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+
+
+<a name="BKMK_DefRun"></a>
+## Verify Windows Defender is running
+To verify that Windows Defender AV is running on the server, run the following command from a command prompt: 
+
+```DOS
+sc query Windefend
+```
+
+The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`.
+
+<a name="BKMK_UpdateDef"></a>
+## Update antimalware definitions
+In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage.
+
+By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
+
+-   **Windows Update** in Control Panel.
+
+    -   **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+-   **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**
+
+-   The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates.
+
+    -   **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **3** Download updates but let me choose whether to install them.  This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+To ensure that protection from malware is maintained, we recommend that you enable the following services:
+
+-   Windows Defender Network Inspection service
+
+-   Windows Error Reporting service
+
+-   Windows Update service
+
+The following table lists the services for Windows Defender and the dependent services.
+
+|Service Name|File Location|Description|
+|--------|---------|--------|
+|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
+|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
+|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
+
+
+
+<a name="BKMK_DefSamples"></a>
+## Submit Samples
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions.
+
+We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Enable automatic sample submission
+
+-   To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
+
+    -   **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
+
+    -   **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
+
+    -   **2** Never send. The Windows Defender service does not prompt and does not send any files.
+
+    -   **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+
+<a name="BKMK_DefExclusions"></a>
+## Configure automatic exclusions
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+
+See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. 
+
+
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) 
+
+