Merge branch 'master' into repo_sync_working_branch

2025-05-14 06:17:22 +00:00 · 2021-03-23 10:56:55 -07:00 · 2021-03-23 10:56:55 -07:00 · fb84ef5e1c
commit fb84ef5e1c
parent d1ce1c6b9b 15ae34ff9b
1672 changed files with 2012 additions and 50721 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -1,93 +1,11 @@
 # [Threat protection](index.md)
 ## [Overview]()
 ### [What is Microsoft Defender for Endpoint?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
 ### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
 ### [What's new in Microsoft Defender for Endpoint](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
 ### [Preview features](microsoft-defender-atp/preview.md)
 ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
 ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
 ### [Portal overview](microsoft-defender-atp/portal-overview.md)
 ### [Microsoft Defender for Endpoint for US Government customers](microsoft-defender-atp/gov.md)
 ### [Microsoft Defender for Endpoint for non-Windows platforms](microsoft-defender-atp/non-windows.md)
 ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
 ## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
 ## [Deployment guide]()
 ### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
 ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
 ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
 ### [Phase 3: Onboard]()
 #### [Onboarding overview](microsoft-defender-atp/onboarding.md)
 #### [Deployment rings](microsoft-defender-atp/deployment-rings.md)
 #### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
 #### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
 #### [Onboard supported devices](microsoft-defender-atp/onboard-configure.md)
 ## [Migration guides](microsoft-defender-atp/migration-guides.md)
 ### [Switch from McAfee to Microsoft Defender for Endpoint]()
 #### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
 #### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md) 
 #### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
 #### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
 ### [Switch from Symantec to Microsoft Defender for Endpoint]()
 #### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
 #### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
 #### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
 #### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
 ### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
 #### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
 #### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
 #### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
 #### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
 ### [Manage Microsoft Defender for Endpoint after migration]()
 #### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
 #### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
 #### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
 #### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
 #### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
 ## [Security administration]()
 ### [Threat & vulnerability management]()
 #### [Overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
 #### [Get started]()
 ##### [Permissions & prerequisites](microsoft-defender-atp/tvm-prerequisites.md)
 ##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
 ##### [Assign device value](microsoft-defender-atp/tvm-assign-device-value.md)
 #### [Assess your security posture]()
 ##### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
 ##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
 ##### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
 #### [Improve your security posture & reduce risk]()
 ##### [Address security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
 ##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
 ##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
 ##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
 ##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
 #### [Understand vulnerabilities on your devices]()
 ##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
 ##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
 ##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
 ##### [Vulnerable devices report](microsoft-defender-atp/tvm-vulnerable-devices-report.md)
 ##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md)
 ### [Attack surface reduction]()
 #### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
 #### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
 #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
 #### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
 #### [Attack surface reduction controls]()
 ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
 ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
 ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
 ##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
 #### [Hardware-based isolation]()
-##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
+
 ##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
 ##### [Application isolation]()
@ -108,41 +26,10 @@
 ##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
 ##### [Device control report](device-control/device-control-report.md)
 #### [Exploit protection]()
 ##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
 ##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
 ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
 ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
 ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
 ##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md)
 ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
 #### [Network protection]()
 ##### [Protect your network](microsoft-defender-atp/network-protection.md)
 ##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
 ##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
 #### [Web protection]()
 ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
 ##### [Web threat protection]()
 ###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
 ###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
 ###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
 ##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
 #### [Controlled folder access]()
 ##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
 ##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
 ##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
 ##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
 #### [Network firewall]()
 ##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
 ##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 ### [Next-generation protection]()
 #### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
 #### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
@ -231,511 +118,12 @@
 #### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
 #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
 ### [Microsoft Defender for Endpoint for Mac]()
 #### [Overview of Microsoft Defender for Endpoint for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
 #### [What's New](microsoft-defender-atp/mac-whatsnew.md)
 #### [Deploy]()
 ##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
 ##### [JAMF Pro-based deployment]()
 ###### [Deploying Microsoft Defender for Endpoint for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md)
 ###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md)
 ###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md)
 ###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md)
 ###### [Enroll devices](microsoft-defender-atp/mac-jamfpro-enroll-devices.md)
 ##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
 ##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
 #### [Update](microsoft-defender-atp/mac-updates.md)
 #### [Configure]()
 ##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
 ##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
 ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
 ##### [Device control]()
 ###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
 ###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
 ###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
 ##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
 #### [Troubleshoot]()
 ##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
 ##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
 ##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
 ##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
 #### [Privacy](microsoft-defender-atp/mac-privacy.md)
 #### [Resources](microsoft-defender-atp/mac-resources.md)
 ### [Microsoft Defender for Endpoint for iOS]()
 #### [Overview of Microsoft Defender for Endpoint for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
 #### [What's New](microsoft-defender-atp/ios-whatsnew.md)
 #### [Deploy]()
 ##### [Deploy Microsoft Defender for Endpoint for iOS via Intune](microsoft-defender-atp/ios-install.md)
 #### [Configure]()
 ##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
 #### [Privacy](microsoft-defender-atp/ios-privacy.md)
 ### [Microsoft Defender for Endpoint for Linux]()
 #### [Overview of Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
 #### [What's New](microsoft-defender-atp/linux-whatsnew.md)
 #### [Deploy]()
 ##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
 ##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
 ##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
 #### [Update](microsoft-defender-atp/linux-updates.md)
 #### [Configure]()
 ##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
 ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
 ##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
 ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
 ##### [Schedule scans with Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md)
 ##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](microsoft-defender-atp/linux-update-MDE-Linux.md)
 #### [Troubleshoot]()
 ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
 ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
 ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
 ##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md)
 #### [Privacy](microsoft-defender-atp/linux-privacy.md)
 #### [Resources](microsoft-defender-atp/linux-resources.md)
 ### [Microsoft Defender for Endpoint for Android]()
 #### [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp/microsoft-defender-atp-android.md)
 #### [Deploy]()
 ##### [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md)
 #### [Configure]()
 ##### [Configure Microsoft Defender for Endpoint for Android features](microsoft-defender-atp/android-configure.md)
 #### [Privacy]()
 ##### [Microsoft Defender for Endpoint for Android - Privacy information](microsoft-defender-atp/android-privacy.md)
 #### [Troubleshoot]()
 ##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md)
 ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
 ## [Security operations]()
 ### [Endpoint detection and response]()
 #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
 #### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
 #### [Incidents queue]()
 ##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
 ##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
 ##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
 #### [Alerts queue]()
 ##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
 ##### [Review alerts](microsoft-defender-atp/review-alerts.md)
 ##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
 ##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
 ##### [Investigate files](microsoft-defender-atp/investigate-files.md)
 ##### [Investigate devices](microsoft-defender-atp/investigate-machines.md)
 ##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
 ##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
 ###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
 ##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
 #### [Devices list]()
 ##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
 ##### [Techniques in device timeline](microsoft-defender-atp/techniques-device-timeline.md)
 ##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
 ##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
 #### [Take response actions]()
 ##### [Take response actions on a device]()
 ###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
 ###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
 ###### [Start an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
 ###### [Start a Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
 ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
 ###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
 ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
 ###### [Isolate devices from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-devices-from-the-network)
 ###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
 ###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
 ##### [Take response actions on a file]()
 ###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
 ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
 ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
 ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
 ###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
 ###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
 ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
 ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
 #### [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md)
 ##### [View and approve pending actions](microsoft-defender-atp/manage-auto-investigation.md)
 ##### [Details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
 #### [Investigate entities using Live response]()
 ##### [Investigate entities on devices](microsoft-defender-atp/live-response.md)
 ##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
 #### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
 #### [Reporting]()
 ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
 ##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
 #### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
 ### [Behavioral blocking and containment]()
 #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
 #### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
 #### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md)
 #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
 ### [Automated investigation and response (AIR)]()
 #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
 #### [Automation levels in AIR](microsoft-defender-atp/automation-levels.md)
 #### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
 #### [Learn, train, & get examples]()
 ##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
 ##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
 #### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
 #### [Optimize & handle errors]()
 ##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
 ##### [Handle errors](microsoft-defender-atp/advanced-hunting-errors.md)
 ##### [Service limits](microsoft-defender-atp/advanced-hunting-limits.md)
 #### [Data schema]()
 ##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
 ##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
 ##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
 ##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
 ##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
 ##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
 ##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
 ##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
 ##### [DeviceFileCertificateInfo](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md)
 ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
 ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
 ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
 ##### [DeviceTvmSoftwareInventory](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md)
 ##### [DeviceTvmSoftwareVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)
 ##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
 ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
 ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
 #### [Custom detections]()
 ##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
 ##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
 ##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
 ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
 ### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md)
 #### [Read the analyst report](microsoft-defender-atp/threat-analytics-analyst-reports.md)
 ## [How-to]()
 ### [Onboard devices to the service]()
 #### [Onboard devices to Microsoft Defender for Endpoint](microsoft-defender-atp/onboard-configure.md)
 #### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
 #### [Onboard Windows 10 devices]()
 ##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
 ##### [Onboard devices using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
 ##### [Onboard devices using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
 ##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
 ##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
 ##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
 ##### [Onboard Windows 10 multi-session devices in Windows Virtual Desktop](microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md)
 #### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
 #### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
 #### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
 #### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)
 #### [Run simulated attacks on devices](microsoft-defender-atp/attack-simulations.md)
 #### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
 #### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
 #### [Troubleshoot onboarding issues]()
 ##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
 ##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 ### [Manage device configuration]()
 #### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
 #### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
 #### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
 #### [Optimize attack surface reduction rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
 ### [Configure portal settings]()
 #### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
 #### [General]()
 ##### [Verify data storage location and  update data retention settings](microsoft-defender-atp/data-retention-settings.md)
 ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
 ##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md)
 ##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
 #### [Permissions]()
 ##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
 ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
 ###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
 ###### [Create and manage device groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
 ##### [Create indicators](microsoft-defender-atp/manage-indicators.md)
 ###### [Create indicators for files](microsoft-defender-atp/indicator-file.md)
 ###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md)
 ###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md)
 ###### [Manage indicators](microsoft-defender-atp/indicator-manage.md)
 ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
 ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
 #### [Device management]()
 ##### [Onboarding devices](microsoft-defender-atp/onboard-configure.md)
 ##### [Offboarding devices](microsoft-defender-atp/offboard-machines.md)
 #### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
 ### [Configure integration with other Microsoft solutions]()
 #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
 #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
 ### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
 ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
 ## Reference
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
 #### [Microsoft Defender for Endpoint API]()
 ##### [Get started]()
 ###### [Microsoft Defender for Endpoint API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ###### [Access the Microsoft Defender for Endpoint APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
 ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 ##### [Microsoft Defender for Endpoint APIs Schema]()
 ###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
 ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 ###### [Alert]()
 ####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
 ####### [List alerts](microsoft-defender-atp/get-alerts.md)
 ####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
 ####### [Update alert](microsoft-defender-atp/update-alert.md)
 ####### [Batch update alert](microsoft-defender-atp/batch-update-alerts.md)
 ####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
 ####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
 ####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
 ####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
 ####### [Get alert related device information](microsoft-defender-atp/get-alert-related-machine-info.md)
 ####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
 ###### [Machine]()
 ####### [Machine methods and properties](microsoft-defender-atp/machine.md)
 ####### [List machines](microsoft-defender-atp/get-machines.md)
 ####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
 ####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
 ####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
 ####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
 ####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
 ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
 ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
 ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
 ####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md)
 ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
 ####### [Set device value](microsoft-defender-atp/set-device-value.md)
 ###### [Machine Action]()
 ####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
 ####### [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
 ####### [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
 ####### [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
 ####### [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
 ####### [Isolate machine](microsoft-defender-atp/isolate-machine.md)
 ####### [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
 ####### [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
 ####### [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
 ####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
 ####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
 ####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
 ###### [Automated Investigation]()
 ####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
 ####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
 ####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
 ####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
 ###### [Indicators]()
 ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
 ####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
 ####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md)
 ####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
 ####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
 ###### [Domain]()
 ####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
 ####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
 ####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
 ###### [File]()
 ####### [File methods and properties](microsoft-defender-atp/files.md)
 ####### [Get file information](microsoft-defender-atp/get-file-information.md)
 ####### [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
 ####### [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
 ####### [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
 ###### [IP]()
 ####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
 ####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
 ###### [User]()
 ####### [User methods](microsoft-defender-atp/user.md)
 ####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
 ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
 ###### [Score]()
 ####### [Score methods and properties](microsoft-defender-atp/score.md)
 ####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
 ####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
 ####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
 ###### [Software]()
 ####### [Software methods and properties](microsoft-defender-atp/software.md)
 ####### [List software](microsoft-defender-atp/get-software.md)
 ####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
 ####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
 ####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
 ####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
 ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
 ####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
 ####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
 ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
 ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
 ###### [Recommendation]()
 ####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
 ####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
 ####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
 ####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
 ####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md)
 ####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
 ##### [How to use APIs - Samples]()
 ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
 ###### [Power BI](microsoft-defender-atp/api-power-bi.md)
 ###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
 ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 #### [Raw data streaming API]()
 ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
 ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
 ##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
 #### [SIEM integration]()
 ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
 ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
 ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
 ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
 ##### [Microsoft Defender for Endpoint detection fields](microsoft-defender-atp/api-portal-mapping.md)
 ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
 ##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
 ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 #### [Partners & APIs]()
 ##### [Partner applications](microsoft-defender-atp/partner-applications.md)
 ##### [Connected applications](microsoft-defender-atp/connected-applications.md)
 ##### [API explorer](microsoft-defender-atp/api-explorer.md)
 #### [Role-based access control]()
 ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
 ##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
 ##### [Create and manage device groups]()
 ###### [Using device groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
 #### [Managed security service provider (MSSP) integration]()
 ##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
 ##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
 ##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
 ##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
 ##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
 ##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 ### [Partner integration scenarios]()
 #### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
 #### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
 #### [Become a Microsoft Defender for Endpoint partner](microsoft-defender-atp/get-started-partner-integration.md)
 ### [Integrations]()
 #### [Microsoft Defender for Endpoint integrations](microsoft-defender-atp/threat-protection-integration.md)
 #### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
 #### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
 ### [Information protection in Windows overview]()
 #### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
 ### [Access the Microsoft Defender for Endpoint Community Center](microsoft-defender-atp/community.md)
 ### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
 ### [Troubleshoot Microsoft Defender for Endpoint]()
 #### [Troubleshoot sensor state]()
 ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
 ##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
 ##### [Inactive devices](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-devices)
 ##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices)
 ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
 #### [Troubleshoot Microsoft Defender for Endpoint service issues]()
 ##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
 ##### [Check service health](microsoft-defender-atp/service-status.md)
 ##### [Contact Microsoft Defender for Endpoint support](microsoft-defender-atp/contact-support.md)
 #### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
 #### [Collect support logs using LiveAnalyzer ](microsoft-defender-atp/troubleshoot-collect-support-log.md)
 #### [Troubleshoot attack surface reduction issues]()
 ##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
 ##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
 #### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
 #### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
 ### [Troubleshoot Microsoft Defender Antivirus]()
 #### [Troubleshoot Microsoft Defender Antivirus issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
 #### [Troubleshoot Microsoft Defender Antivirus migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
 ## [Security intelligence](intelligence/index.md)
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@ -17,11 +17,11 @@ ms.technology: mde
 ---
 # Change history for threat protection
-This topic lists new and updated topics in the [Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation.
+This topic lists new and updated topics in the [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) documentation.
 ## August 2018
 New or changed topic | Description
 ---------------------|------------
-[Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@ -23,7 +23,7 @@ ms.technology: mde
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
@ -56,28 +56,28 @@ ms.technology: mde
 >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
+**[Threat & vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**<br>
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+- [Threat & vulnerability management overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
- [Get started](microsoft-defender-atp/tvm-prerequisites.md)
+- [Get started](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)
- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md)
+- [Access your security posture](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md)
+- [Improve your security posture and reduce risk](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md)
+- [Understand vulnerabilities on your devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)
 <a name="asr"></a>
-**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**<br>
+**[Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**<br>
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
 - [Application control](windows-defender-application-control/windows-defender-application-control.md)
 - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Exploit protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)
- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md)
+- [Network protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection), [web protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+- [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
+- [Attack surface reduction rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction)
 <a name="ngp"></a>
@ -92,51 +92,51 @@ To further reinforce the security perimeter of your network, Microsoft Defender
 <a name="edr"></a>
-**[Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)**<br>
+**[Endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**<br>
 Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
- [Alerts](microsoft-defender-atp/alerts-queue.md)
+- [Alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/alerts-queue)
- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline)
+- [Historical endpoint data](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
 - [Response orchestration](microsoft-defender-atp/response-actions.md)
- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
+- [Forensic collection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md)
+- [Threat intelligence](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
+- [Advanced detonation and analysis service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md)
+- [Advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
-    - [Custom detections](microsoft-defender-atp/overview-custom-detections.md)
+    - [Custom detections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-custom-detections)
 <a name="ai"></a>
-**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
+**[Automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)**<br>
 In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Get an overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
+- [Get an overview of automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)
- [Learn about automation levels](microsoft-defender-atp/automation-levels.md)
+- [Learn about automation levels](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels)
- [Configure automated investigation and remediation in Defender for Endpoint](microsoft-defender-atp/configure-automated-investigations-remediation.md)
+- [Configure automated investigation and remediation in Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
- [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md)
+- [Visit the Action center to see remediation actions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
- [Review remediation actions following an automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
+- [Review remediation actions following an automated investigation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-auto-investigation)
 - [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
 <a name="mte"></a>
-**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
+**[Microsoft Threat Experts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**<br>
 Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
+- [Targeted attack notification](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
+- [Experts-on-demand](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+- [Configure your Microsoft 365 Defender managed hunting service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
 <a name="apis"></a>
-**[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**<br>
+**[Centralized configuration and administration, APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis)**<br>
 Integrate Microsoft Defender for Endpoint into your existing workflows.
- [Onboarding](microsoft-defender-atp/onboard-configure.md)
+- [Onboarding](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
+- [API and SIEM integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-siem)
- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
+- [Exposed APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro)
- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
+- [Role-based access control (RBAC)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/rbac)
- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md)
+- [Reporting and trends](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-reports)
 <a name="integration"></a>
-**[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)** <br>
+**[Integration with Microsoft solutions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration)** <br>
 Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
 - Intune
 - Microsoft Defender for Office 365
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@ -94,7 +94,7 @@ Microsoft provides comprehensive security capabilities that help protect against
 * [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
-* [Controlled folder access](../microsoft-defender-atp/enable-controlled-folders.md) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
@ -108,7 +108,7 @@ Microsoft provides comprehensive security capabilities that help protect against
 * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
-* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
+* [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
 * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@ -62,6 +62,6 @@ We recommend:
 * Educate your employees so they can identify social engineering and spear-phishing attacks.
-* [Controlled folder access](../microsoft-defender-atp/controlled-folders.md). It can stop ransomware from encrypting files and holding the files for ransom.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@ -25,7 +25,7 @@ ms.technology: mde
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md).
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
 ## Exclusion lists
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@ -64,7 +64,7 @@ In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartSc
 Security admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
 ## Microsoft Defender Antivirus
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@ -30,7 +30,7 @@ ms.technology: mde
 Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
 - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
 - If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
+- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
 ## Antivirus and Microsoft Defender for Endpoint
@ -102,11 +102,11 @@ The table in this section summarizes the functionality and features that are ava
 - In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+- When [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
 - When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/defender-compatibility) in order to properly monitor your devices and network for intrusion attempts and attacks.
 - When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
@ -122,7 +122,7 @@ The table in this section summarizes the functionality and features that are ava
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
 - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
+- [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode)
 - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
 - [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
 - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@ -37,7 +37,7 @@ Settings that were previously part of the Windows Defender client and main Windo
 See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
-The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
 ## Review virus and threat protection settings in the Windows Security app
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@ -14,7 +14,7 @@ audience: ITPro
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 03/11/2021
+ms.date: 03/22/2021
 ms.technology: mde
 ---
@ -203,15 +203,15 @@ Here's what you see in the Windows Security app:
 Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
 ![Microsoft Defender Security Center](images/tamperattemptalert.png)
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
 ## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
 ![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg)
@ -219,13 +219,13 @@ In the results, you can select **Turn on Tamper Protection** to learn more and t
 ![Turn on tamper protection](images/tamperprotectsecurityrecos.png)
-To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
+To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
 ## Frequently asked questions
 ### To which Windows OS versions is configuring tamper protection is applicable?
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
 If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
@ -241,7 +241,7 @@ Devices that are onboarded to Microsoft Defender for Endpoint will have Microsof
 If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
-If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: 
+If you are an organization using [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: 
 - [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune)
 - [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
@ -263,7 +263,7 @@ If you are using tenant attach, you can use Microsoft Endpoint Configuration Man
 ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
 ### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
@ -289,6 +289,8 @@ Your security operations team can also use hunting queries, such as the followin
 ## See also
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
- [Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+
- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
+[Get an overview of Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
 [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@ -123,7 +123,7 @@ Microsoft Defender Antivirus will automatically turn on if no other antivirus is
 > [!WARNING]
 > Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
-Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview) is deployed.
 Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@ -24,34 +24,34 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
-Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender for Endpoint). 
+Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (Microsoft Defender for Endpoint). 
-Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. 
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations), you get better protection that's coordinated across products and services. 
 ## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
-| |Advantage  |Why it matters |
+|# |Advantage  |Why it matters |
 |--|--|--|
 |1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
-|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-analytics) and [Microsoft Secure Score for Devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
-|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md).|
+|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/evaluate-mde).|
 |4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).|
-|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection).|
-|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
-|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving  attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving  attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
-|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.) |
 |9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
 |10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
+|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/troubleshoot-mde) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
 ## Learn more
-[Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
-[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+[Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@ -1,64 +0,0 @@
 ---
 title: Access the Microsoft Defender Security Center MSSP customer portal
 description: Access the Microsoft Defender Security Center MSSP customer portal
 keywords: managed security service provider, mssp, configure, integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Access the Microsoft Defender Security Center MSSP customer portal
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
 >[!NOTE] 
 >These set of steps are directed towards the MSSP. 
 By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
 MSSPs however, will need to use a tenant-specific URL in the following format:  `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. 
 In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
 Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
 1. As an MSSP, login to Azure AD with your credentials. 
 2. Switch directory to the MSSP customer's tenant.
 3.  Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field. 
 4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
 ## Related topics
 - [Grant MSSP access to the portal](grant-mssp-access.md)
 - [Configure alert notifications](configure-mssp-notifications.md)
 - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@ -1,104 +0,0 @@
 ---
 title: Add or Remove Machine Tags API
 description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender for Endpoint.
 keywords: apis, graph api, supported apis, tags, machine tags
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Add or Remove Machine Tags API
 **Applies to:**
 2154037
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## API description
 Adds or remove tag to a specific [Machine](machine.md).
 ## Limitations
 1. You can post on machines last seen according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
 Permission type |    Permission    |    Permission display name
 :---|:---|:---
 Application |    Machine.ReadWrite.All |    'Read and write all machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 >[!Note]
 > When obtaining a token using user credentials:
 >
 >- The user needs to have at least the following role permission: 'Manage security setting'. For more  (See [Create and manage roles](user-roles.md) for more information)
 >- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
 ## HTTP request
 ```http
 POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags
 ```
 ## Request headers
 Name | Type | Description
 :---|:---|:---
 Authorization | String | Bearer {token}. **Required**.
 Content-Type | string | application/json. **Required**.
 ## Request body
 In the request body, supply a JSON object with the following parameters:
 Parameter |    Type    | Description
 :---|:---|:---
 Value |    String |    The tag name. **Required**.
 Action    | Enum |    Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
 ## Response
 If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
 ## Example
 **Request**
 Here is an example of a request that adds machine tag.
 ```http
 POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
 ```
 ```json
 {
  "Value" : "test Tag 2",
  "Action": "Add"
 }
 ```
 - To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -1,209 +0,0 @@
 ---
 title: Configure advanced features in Microsoft Defender for Endpoint
 description: Turn on advanced features such as block file in Microsoft Defender for Endpoint.
 keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure advanced features in Defender for Endpoint
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
 ## Enable advanced features
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
 3. Click **Save preferences**.
 Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.
 ## Automated investigation
 Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
 ## Live response
 Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
 For more information about role assignments, see [Create and manage roles](user-roles.md).
 ## Live response for servers
 Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
 For more information about role assignments, see [Create and manage roles](user-roles.md).
 ## Live response unsigned script execution
 Enabling this feature allows you to run unsigned scripts in a live response session.
 ## Autoresolve remediated alerts
 For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
 > [!TIP]
 > For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
 > [!NOTE]
 >
 > - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
 > - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 ## Allow or block file
 Blocking is only available if your organization fulfills these requirements:
 - Uses Microsoft Defender Antivirus as the active antimalware solution and,
 - The cloud-based protection feature is enabled
 This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization.
 To turn **Allow or block** files on:
 1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
 1. Toggle the setting between **On** and **Off**.
    ![Image of advanced settings for block file feature](images/atp-preferences-setup.png)
 1. Select **Save preferences** at the bottom of the page.
 After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
 ## Custom network indicators
 Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
 To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
 For more information, see [Manage indicators](manage-indicators.md).
 > [!NOTE]
 > Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data.
 ## Show user details
 Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
 - Security operations dashboard
 - Alert queue
 - Device details page
 For more information, see [Investigate a user account](investigate-user.md).
 ## Skype for Business integration
 Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
 > [!NOTE]
 > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
 ## Azure Advanced Threat Protection integration
 The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
 > [!NOTE]
 > You'll need to have the appropriate license to enable this feature.
 ## Office 365 Threat Intelligence connection
 This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
 When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
 > [!NOTE]
 > You'll need to have the appropriate license to enable this feature.
 To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti).
 ## Microsoft Threat Experts
 Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it.
 > [!NOTE]
 > The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
 ## Microsoft Cloud App Security
 Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
 > [!NOTE]
 > This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions.
 ## Azure Information Protection
 Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
 ## Microsoft Secure Score
 Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
 ### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal
 To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.
 1. Log in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
 2. Click **Create your instance**.
 3. Toggle the Integration setting to **On** and click **Save**.
 After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
 ## Microsoft Intune connection
 Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
 > [!IMPORTANT]
 > You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
 This feature is only available if you have the following:
 - A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
 - An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
 ### Conditional Access policy
 When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
 > [!NOTE]
 > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
 ## Preview features
 Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
 You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
 ## Share endpoint alerts with Microsoft Compliance Center
 Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
 After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
 ## Related topics
 - [Update data retention settings](data-retention-settings.md)
 - [Configure alert notifications](configure-email-notifications.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
@ -1,84 +0,0 @@
 ---
 title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender for Endpoint
 description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 09/20/2020
 ms.technology: mde
 ---
 # AssignedIPAddresses()
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
 This function returns a table with the following columns:
 Column | Data type | Description
 -|-|-
 `Timestamp` | datetime | Latest time when the device was observed using the IP address
 `IPAddress` | string | IP address used by the device
 `IPType` | string | Indicates whether the IP address is a public or private address
 `NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
 `ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
 ## Syntax
 ```kusto
 AssignedIPAddresses(x, y)
 ```
 ## Arguments
 - **x**—`DeviceId` or `DeviceName` value identifying the device
 - **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
 ## Examples
 ### Get the list of IP addresses used by a device 24 hours ago
 ```kusto
 AssignedIPAddresses('example-device-name', ago(1d))
 ```
 ### Get IP addresses used by a device and find devices communicating with it
 This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices. 
 ```kusto
 let Date = datetime(example-date);
 let DeviceName = "example-device-name";
 // List IP addresses used on or before the specified date
 AssignedIPAddresses(DeviceName, Date)
 | project DeviceName, IPAddress, AssignedTime = Timestamp 
 // Get all network events on devices with the assigned IP addresses as the destination addresses
 | join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
 // Get only network events around the time the IP address was assigned
 | where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
 ```
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -1,103 +0,0 @@
 ---
 title: Query best practices for advanced hunting
 description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: m365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Advanced hunting query best practices
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
 ## Optimize query performance
 Apply these recommendations to get results faster and avoid timeouts while running complex queries.
 - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
 - Use time filters first. Ideally, limit your queries to seven days.
 - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
 - Use the `has` operator over `contains` when looking for full tokens.
 - Look in a specific column rather than running full text searches across all columns.
 - When joining tables, specify the table with fewer rows first.
 - `project` only the necessary columns from tables you've joined.
 >[!TIP]
 >For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
 ## Query tips and pitfalls
 ### Queries with process IDs
 Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
 The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
 ```kusto
 DeviceNetworkEvents
 | where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
 | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
 | where RemoteIPCount > 10
 ```
 The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
 ### Queries with command lines
 Command lines can vary. When applicable, filter on file names and do fuzzy matching.
 There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
 To create more durable queries using command lines, apply the following practices:
 - Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
 - When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
 - Use case insensitive matches. For example, use `=~`, `in~`, and `contains` instead of `==`, `in` and `contains_cs`
 - To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
 The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
 ```kusto
 // Non-durable query - do not use
 DeviceProcessEvents
 | where ProcessCommandLine == "net stop MpsSvc"
 | limit 10
 // Better query - filters on filename, does case-insensitive matches
 DeviceProcessEvents
 | where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
 // Best query also ignores quotes
 DeviceProcessEvents
 | where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
 | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@ -1,57 +0,0 @@
 ---
 title: DeviceAlertEvents table in the advanced hunting schema
 description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 01/22/2020
 ms.technology: mde
 ---
 # DeviceAlertEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `AlertId` | string | Unique identifier for the alert |
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
 | `Category` | string | Type of threat indicator or breach activity identified by the alert |
 | `Title` | string | Title of the alert |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `RemoteIP` | string | IP address that was being connected to |
 | `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `Table` | string | Table that contains the details of the event |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@ -1,88 +0,0 @@
 ---
 title: DeviceEvents table in the advanced hunting schema
 description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` |string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
 | `ProcessId` | int | Process ID (PID) of the newly created process |
 | `ProcessCommandLine` | string | Command line used to create the new process |
 | `ProcessCreationTime` | datetime | Date and time the process was created |
 | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
 | `RegistryKey` | string | Registry key that the recorded action was applied to |
 | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `LocalIP` | string | IP address assigned to the local device used during communication |
 | `LocalPort` | int | TCP port on the local device used during communication |
 | `FileOriginUrl` | string | URL where the file was downloaded from |
 | `FileOriginIP` | string | IP address where the file was downloaded from |
 | `AdditionalFields` | string | Additional information about the event in JSON array format |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
@ -1,62 +0,0 @@
 ---
 title: DeviceFileCertificateInfo table in the advanced hunting schema
 description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 01/14/2020
 ms.technology: mde
 ---
 # DeviceFileCertificateInfo
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `IsSigned` | boolean | Indicates whether the file is signed |
 | `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
 | `Signer` | string | Information about the signer of the file |
 | `SignerHash` | string | Unique hash value identifying the signer |
 | `Issuer` | string | Information about the issuing certificate authority (CA) |
 | `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
 | `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
 | `CrlDistributionPointUrls` | string |  JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
 | `CertificateCreationTime` | datetime | Date and time the certificate was created |
 | `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
 | `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
 | `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
 | `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@ -1,81 +0,0 @@
 ---
 title: DeviceFileEvents table in the advanced hunting schema
 description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceFileEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see  [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `FileOriginUrl` | string | URL where the file was downloaded from |
 | `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
 | `FileOriginIP` | string | IP address where the file was downloaded from |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
 | `ShareName` | string | Name of shared folder containing the file |
 | `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
 | `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
 | `RequestAccountName` | string | User name of account used to remotely initiate the activity |
 | `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
 | `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
 | `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@ -1,66 +0,0 @@
 ---
 title: DeviceImageLoadEvents table in the advanced hunting schema
 description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceImageLoadEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@ -1,55 +0,0 @@
 ---
 title: DeviceInfo table in the advanced hunting schema
 description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceInfo
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ClientVersion` | string | Version of the endpoint agent or sensor running on the device |
 | `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy |
 | `OSArchitecture` | string | Architecture of the operating system running on the device |
 | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
 | `OSBuild` | string | Build version of the operating system running on the device |
 | `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory |
 | `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format |
 | `RegistryDeviceTag` | string | Device tag added through the registry |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
 | `OSVersion` | string | Version of the operating system running on the device |
 | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@ -1,78 +0,0 @@
 ---
 title: DeviceLogonEvents table in the advanced hunting schema
 description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceLogonEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 > [!NOTE]
 > Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
 > We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string	| Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string |Type of activity that triggered the event |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` | string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
 | `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `AdditionalFields` | string | Additional information about the event in JSON array format |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@ -1,70 +0,0 @@
 ---
 title: DeviceNetworkEvents table in the advanced hunting schema
 description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceNetworkEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `LocalIP` | string | IP address assigned to the local device used during communication |
 | `LocalPort` | int | TCP port on the local device used during communication |
 | `Protocol` | string | IP protocol used, whether TCP or UDP |
 | `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@ -1,55 +0,0 @@
 ---
 title: DeviceNetworkInfo table in the advanced hunting schema
 description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceNetworkInfo
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `NetworkAdapterName` | string | Name of the network adapter |
 | `MacAddress` | string | MAC address of the network adapter |
 | `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2&preserve-view=true) |
 | `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2&preserve-view=true) |
 | `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 | `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
 | `DnsAddresses` | string | DNS server addresses in JSON array format |
 | `IPv4Dhcp` | string | IPv4 address of DHCP server |
 | `IPv6Dhcp` | string | IPv6 address of DHCP server |
 | `DefaultGateways` | string | Default gateway addresses in JSON array format |
 | `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@ -1,78 +0,0 @@
 ---
 title: DeviceProcessEvents table in the advanced hunting schema
 description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceProcessEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `ProcessId` | int | Process ID (PID) of the newly created process |
 | `ProcessCommandLine` | string | Command line used to create the new process |
 | `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
 | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | `ProcessCreationTime` | datetime | Date and time the process was created |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` | string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@ -1,67 +0,0 @@
 ---
 title: DeviceRegistryEvents table in the advanced hunting schema
 description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceRegistryEvents
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `ActionType` | string | Type of activity that triggered the event |
 | `RegistryKey` | string | Registry key that the recorded action was applied to |
 | `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
 | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
 | `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
 | `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@ -1,56 +0,0 @@
 ---
 title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
 description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
 author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceTvmSecureConfigurationAssessment 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
 | `Timestamp` | datetime |Date and time when the record was generated |
 | `ConfigurationId` | string | Unique identifier for a specific configuration |
 | `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
 | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
 | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
 | `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
 | `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device |
 | `Context`	| string | Additional contextual information about the configuration or policy |
 | `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
@ -1,54 +0,0 @@
 ---
 title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
 description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
 author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceTvmSecureConfigurationAssessmentKB
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `ConfigurationId` | string | Unique identifier for a specific configuration |
 | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
 | `ConfigurationName` | string | Display name of the configuration |
 | `ConfigurationDescription` | string | Description of the configuration |
 | `RiskDescription` | string | Description of the associated risk |
 | `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
 | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
 | `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
 | `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
 | `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md
@ -1,60 +0,0 @@
 ---
 title: DeviceTvmSoftwareInventory table in the advanced hunting schema
 description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: maccruz
 author: schmurky
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceTvmSoftwareInventory
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 The `DeviceTvmSoftwareInventory` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software currently installed on devices in your network, including end of support information. You can, for instance, hunt for events involving devices that are installed with a currently vulnerable software version. Use this reference to construct queries that return information from the table.
 >[!NOTE]
 >The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
 | `OSVersion` | string | Version of the operating system running on the device |
 | `OSArchitecture` | string | Architecture of the operating system running on the device |
 | `SoftwareVendor` | string | Name of the software vendor |
 | `SoftwareName` | string | Name of the software product |
 | `SoftwareVersion` | string | Version number of the software product |
 | `EndOfSupportStatus` | string | Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date |
 | `EndOfSupportDate` | string | End-of-support (EOS) or end-of-life (EOL) date of the software product |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
@ -1,61 +0,0 @@
 ---
 title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema
 description: Learn about software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: maccruz
 author: schmurky
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceTvmSoftwareVulnerabilities
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 The `DeviceTvmSoftwareVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
 >[!NOTE]
 >The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `DeviceId` | string | Unique identifier for the device in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
 | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
 | `OSVersion` | string | Version of the operating system running on the device |
 | `OSArchitecture` | string | Architecture of the operating system running on the device |
 | `SoftwareVendor` | string | Name of the software vendor |
 | `SoftwareName` | string | Name of the software product |
 | `SoftwareVersion` | string | Version number of the software product |
 | `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
 | `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
 | `RecommendedSecurityUpdate` | string | Name or description of the security update provided by the software vendor to address the vulnerability |
 | `RecommendedSecurityUpdateId` | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
@ -1,52 +0,0 @@
 ---
 title: DeviceTvmSoftwareVulnerabilitiesKB  table in the advanced hunting schema
 description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
 author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # DeviceTvmSoftwareVulnerabilitiesKB 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
 | `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
 | `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
 | `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
 | `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
 | `PublishedDate` | datetime | Date vulnerability was disclosed to public |
 | `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
 | `AffectedSoftware` | string | List of all software products affected by the vulnerability |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
@ -1,46 +0,0 @@
 ---
 title: Handle errors in advanced hunting for Microsoft Defender ATP
 description: Understand errors displayed when using advanced hunting
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Handle advanced hunting errors
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. 
 | Error type | Cause | Resolution | Error message examples |
 |--|--|--|--|
 | Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
 | Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. |  `'project' operator: Failed to resolve scalar expression named 'x'`|
 | Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
 | CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`<br>- `You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.` |
 | Result size limit exceeded  | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
 | Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`<br>-`Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.` |
 | Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.`
 ## Related topics
 - [Advanced hunting best practices](advanced-hunting-best-practices.md)
 - [Service limits](advanced-hunting-limits.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
@ -1,48 +0,0 @@
 ---
 title: Extend advanced hunting coverage with the right settings
 description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
 keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 10/10/2020
 ms.technology: mde
 ---
 # Extend advanced hunting coverage with the right settings
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 [Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
 ## Advanced security auditing on Windows devices
 Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
 Data | Description | Schema table | How to configure
 -|-|-|-
 Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
 Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
 Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
@ -1,85 +0,0 @@
 ---
 title: FileProfile() function in advanced hunting for Microsoft Defender for Endpoint
 description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 09/20/2020
 ms.technology: mde
 ---
 # FileProfile()
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
 Column | Data type | Description
 -|-|-
 SHA1 | string | SHA-1 of the file that the recorded action was applied to
 SHA256 | string | SHA-256 of the file that the recorded action was applied to
 MD5 | string | MD5 hash of the file that the recorded action was applied to
 FileSize | int | Size of the file in bytes
 GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
 GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
 GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
 Signer | string | Information about the signer of the file
 Issuer | string | Information about the issuing certificate authority (CA)
 SignerHash | string | Unique hash value identifying the signer
 IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
 IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
 IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
 ThreatName | string | Detection name for any malware or other threats found
 Publisher | string | Name of the organization that published the file
 SoftwareName | string | Name of the software product
 ## Syntax
 ```kusto
 invoke FileProfile(x,y)
 ```
 ## Arguments
 - **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
 - **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
 ## Examples
 ### Project only the SHA1 column and enrich it
 ```kusto
 DeviceFileEvents
 | where isnotempty(SHA1) and Timestamp > ago(1d)
 | take 10
 | project SHA1
 | invoke FileProfile()
 ```
 ### Enrich the first 500 records and list low-prevalence files
 ```kusto
 DeviceFileEvents
 | where ActionType == "FileCreated" and Timestamp > ago(1d)
 | project CreatedOn = Timestamp, FileName, FolderPath, SHA1
 | invoke FileProfile("SHA1", 500) 
 | where GlobalPrevalence < 15
 ```
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
@ -1,112 +0,0 @@
 ---
 title: Get relevant info about an entity with go hunt
 description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting.
 keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 f1.keywords: 
  - NOCSH
 ms.author: v-maave
 author: martyav
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Quickly hunt for entity or event information with go hunt
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
 The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
 - In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
    ![Image showing device details with the go hunt option](./images/go-hunt-device.png)
 - In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
    ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png)
 - When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
    ![Image showing event details with the go hunt option](./images/go-hunt-event.png)
 Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
 ## Query for entity information
 When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
 Here is an example of the go hunt query for a device:
 ```kusto
 let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
 let deviceName = "fv-az770.example.com";
 let deviceId = "device-guid";
 search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
 Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
 and DeviceName == deviceName
 // or RemoteDeviceName == deviceName
 // or DeviceId == deviceId
 | take 100
 ```
 ### Supported entity types
 You can use *go hunt* after selecting any of these entity types:
 - Files
 - Users
 - Devices
 - IP addresses
 - URLs
 ## Query for event information
 When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
 ```kusto
 // List relevant events 30 minutes before and after selected RegistryValueSet event
 let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
 search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
    Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
    and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
 | sort by Timestamp desc
 | extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
 | project-reorder Relevance
 ```
 ## Adjust the query
 With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
 ```kusto
 Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
 ```
 In addition to modifying the query to get more relevant results, you can also:
 - [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
 - [Create a custom detection rule](custom-detection-rules.md)
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Custom detection rules](custom-detection-rules.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
@ -1,49 +0,0 @@
 ---
 title: Advanced hunting limits in Microsoft Defender ATP
 description: Understand various service limits that keep the advanced hunting service responsive
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Advanced hunting service limits
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits.
 | Limit | Size | Refresh cycle | Description |
 |--|--|--|--|
 | Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
 | Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |
 | Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
 | CPU resources | Based on tenant size | - On the hour and then every 15 minutes<br>- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
 >[!NOTE] 
 >A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
 Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
 ## Related topics
 - [Advanced hunting best practices](advanced-hunting-best-practices.md)
 - [Handle advanced hunting errors](advanced-hunting-errors.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Custom detections rules](custom-detection-rules.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@ -1,79 +0,0 @@
 ---
 title: Overview of advanced hunting in Microsoft Defender ATP
 description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Proactively hunt for threats with advanced hunting
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
 Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
 <br />
 <br />
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
 You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
 >[!TIP]
 >Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
 ## Get started with advanced hunting
 Go through the following steps to ramp up your advanced hunting knowledge.
 We recommend going through several steps to quickly get up and running with advanced hunting.
 | Learning goal | Description | Resource |
 |--|--|--|
 | **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
 | **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
 | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
 | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
 | **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
 | **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
 | **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
 | **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
 | **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
 ## Data freshness and update frequency
 Advanced hunting data can be categorized into two distinct types, each consolidated differently.
 - **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.
 - **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
 ## Time zone
 Time information in advanced hunting is currently in the UTC time zone.
 ## Related topics
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@ -1,182 +0,0 @@
 ---
 title: Learn the advanced hunting query language
 description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Learn the advanced hunting query language
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
 ## Try your first query
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 ```kusto
 // Finds PowerShell execution events that could involve a download
 union DeviceProcessEvents, DeviceNetworkEvents
 | where Timestamp > ago(7d)
 // Pivoting on PowerShell processes
 | where FileName in~ ("powershell.exe", "powershell_ise.exe")
 // Suspicious commands
 | where ProcessCommandLine has_any("WebClient",
    "DownloadFile",
    "DownloadData",
    "DownloadString",
    "WebRequest",
    "Shellcode",
    "http",
    "https")
 | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
 FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 **[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
 ### Describe the query and specify the tables to search
 A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
 ```kusto
 // Finds PowerShell execution events that could involve a download
 ```
 The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
 ```kusto
 union DeviceProcessEvents, DeviceNetworkEvents
 ```
 ### Set the time range
 The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
 ```kusto
 | where Timestamp > ago(7d)
 ```
 ### Check specific processes
 The time range is immediately followed by a search for process file names representing the PowerShell application.
 ```kusto
 // Pivoting on PowerShell processes
 | where FileName in~ ("powershell.exe", "powershell_ise.exe")
 ```
 ### Search for specific command strings
 Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
 ```kusto
 // Suspicious commands
 | where ProcessCommandLine has_any("WebClient",
    "DownloadFile",
    "DownloadData",
    "DownloadString",
    "WebRequest",
    "Shellcode",
    "http",
    "https")
 ```
 ### Customize result columns and length 
 Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
 ```kusto
 | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
 FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results. 
 ![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
 >[!TIP]
 >You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
 ## Learn common query operators for advanced hunting
 You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
 | Operator | Description and usage |
 |--|--|
 | `where` | Filter a table to the subset of rows that satisfy a predicate. |
 | `summarize` | Produce a table that aggregates the content of the input table. |
 | `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
 | `count` | Return the number of records in the input record set. |
 | `top` | Return the first N records sorted by the specified columns. |
 | `limit` | Return up to the specified number of rows. |
 | `project` | Select the columns to include, rename or drop, and insert new computed columns. |
 | `extend` | Create calculated columns and append them to the result set. |
 | `makeset` |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
 | `find` | Find rows that match a predicate across a set of tables. |
 To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
 ## Understand data types
 Advanced hunting supports Kusto data types, including the following common types:
 | Data type | Description and query implications |
 |--|--|
 | `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
 | `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
 | `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
 | `int` | 32-bit integer  |
 | `long` | 64-bit integer |
 To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
 ## Get help as you write queries
 Take advantage of the following functionality to write queries faster:
 - **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
 - **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
 - **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
 ## Work with multiple queries in the editor
 You can use the query editor to experiment with multiple queries. To use multiple queries:
 - Separate each query with an empty line.
 - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
 ![Image of the advanced hunting query editor with multiple queries](images/ah-multi-query.png)
 _Query editor with multiple queries_
 ## Use sample queries
 The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
 ![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png)
 > [!NOTE]
 > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
 ## Access comprehensive query language reference
 For detailed information about the query language, see [Kusto query language documentation](https://docs.microsoft.com/azure/kusto/query/).
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@ -1,149 +0,0 @@
 ---
 title: Work with advanced hunting query results in Microsoft Defender ATP
 description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Work with advanced hunting query results
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
 - View results as a table or chart
 - Export tables and charts
 - Drill down to detailed entity information
 - Tweak your queries directly from the results or apply filters
 ## View query results as a table or chart
 By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
 | View type | Description |
 | -- | -- |
 | **Table** | Displays the query results in tabular format |
 | **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
 | **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
 | **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
 | **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
 | **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
 | **Scatter chart** | Plots numeric values for a series of unique items |
 | **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
 ### Construct queries for effective charts
 When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
 #### Alerts by severity
 Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
 ```kusto
 DeviceAlertEvents
 | summarize Total = count() by Severity
 ```
 When rendering the results, a column chart displays each severity value as a separate column:
 ![Image of advanced hunting query results displayed as a column chart](images/advanced-hunting-column-chart.jpg)
 *Query results for alerts by severity displayed as a column chart*
 #### Alert severity by operating system
 You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS). 
 The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
 ```kusto
 DeviceAlertEvents
 | join DeviceInfo on DeviceId
 | summarize Count = count() by OSPlatform, Severity
 ```
 These results are best visualized using a stacked column chart:
 ![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
 *Query results for alerts by OS and severity displayed as a stacked chart*
 #### Top ten device groups with alerts
 If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below:
 ```kusto
 DeviceAlertEvents
 | join DeviceInfo on DeviceId
 | summarize Count = count() by MachineGroup
 | top 10 by Count
 ```
 Use the pie chart view to effectively show distribution across the top groups:
 ![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
 *Pie chart showing distribution of alerts across device groups*
 #### Malware detections over time
 Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
 ```kusto
 DeviceEvents
 | where ActionType == "AntivirusDetection"
 | where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
 | summarize Detections = count() by bin(Timestamp, 30m)
 ```
 The line chart below clearly highlights time periods with more detections of the test malware: 
 ![Image of advanced hunting query results displayed as a line chart](images/advanced-hunting-line-chart.jpg)
 *Line chart showing the number of detections of a test malware over time*
 ## Export tables and charts
 After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
 - **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
 - **Any chart** — the query results are exported as a JPEG image of the rendered chart
 ## Drill down from query results
 To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
 To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
 - **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
 - **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
 - **All details** — Lists all the values from the columns in the record
 ## Tweak your queries from the results
 Right-click a value in the result set to quickly enhance your query. You can use the options to:
 - Explicitly look for the selected value (`==`)
 - Exclude the selected value from the query (`!=`)
 - Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
 ![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
 ## Filter the query results
 The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
 Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
 ![Image of advanced hunting filter](images/advanced-hunting-filter.png)
 Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@ -1,80 +0,0 @@
 ---
 title: Advanced hunting schema reference
 description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 01/14/2020
 ms.technology: mde
 ---
 # Understand the advanced hunting schema
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
 ## Get schema information in the security center
 While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
 - **Tables description**—type of data contained in the table and the source of that data.
 - **Columns**—all the columns in the table.
 - **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
 - **Sample query**—example queries that feature how the table can be utilized.
 ### Access the schema reference
 To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
 ![Image showing how to access in-portal schema reference](images/ah-reference.png)
 ## Learn the schema tables
 The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
 Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
 | Table name | Description |
 |------------|-------------|
 | **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
 | **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information |
 | **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains |
 | **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
 | **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
 | **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
 | **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
 | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
 | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
 | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
 | **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
 | **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status |
 | **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
 | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
 | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
 | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@ -1,73 +0,0 @@
 ---
 title: Use shared queries in advanced hunting
 description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Use shared queries in advanced hunting
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 [Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
 ![Image of shared queries](images/atp-advanced-hunting-shared-queries.png)
 ## Save, modify, and share a query
 You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
 1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
 2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
 3. Enter a name for the query.
   ![Image of saving a query](images/advanced-hunting-save-query.png)
 4. Select the folder where you'd like to save the query.
    - **Shared queries** — shared to all users in your organization
    - **My queries** — accessible only to you
 5. Select **Save**.
 ## Delete or rename a query
 1. Right-click on a query you want to rename or delete.
    ![Image of delete query](images/atp_advanced_hunting_delete_rename.png)
 2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
 ## Create a direct link to a query
 To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**.
 ## Access queries in the GitHub repository  
 Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
 >[!TIP]
 >Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
@ -1,85 +0,0 @@
 ---
 title: Take action on advanced hunting query results in Microsoft Threat Protection
 description: Quickly address threats and affected assets in your advanced hunting query results
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 09/20/2020
 ms.technology: mde
 ---
 # Take action on advanced hunting query results
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
 - Take various actions on devices
 - Quarantine files
 ## Required permissions
 To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
 *Active remediation actions > Threat and vulnerability management - Remediation handling*
 ## Take various actions on devices
 You can take the following actions on devices identified by the `DeviceId` column in your query results:
 - Isolate affected devices to contain an infection or prevent attacks from moving laterally
 - Collect investigation package to obtain more forensic information
 - Run an antivirus scan to find and remove threats using the latest security intelligence updates
 - Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
 - Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
 To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md).
 ## Quarantine files
 You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
 - `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
 - `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. 
 - `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
 - `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
 To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
 >[!NOTE]
 >To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.  
 ## Take action
 To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
 ![Image of selected record with panel for inspecting the record](images/ah-take-actions.png)
 ## Review actions taken
 Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@ -1,46 +0,0 @@
 ---
 title: Alerts queue in Microsoft Defender Security Center
 ms.reviewer: 
 description: View and manage the alerts surfaced in Microsoft Defender Security Center
 keywords: 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/03/2018
 ms.technology: mde
 ---
 # Alerts queue in Microsoft Defender Security Center
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
 Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
 ## In this section
 Topic | Description 
 :---|:---
 [View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network.
 [Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
 [Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
 [Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behavior, or event. 
 [Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behavior, or event. 
 [Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
 [Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. 
 [Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.  
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@ -1,164 +0,0 @@
 ---
 title: View and organize the Microsoft Defender ATP Alerts queue
 description: Learn about how the Microsoft Defender ATP alerts queues work, and how to sort and filter lists of alerts.
 keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 03/27/2020
 ms.technology: mde
 ---
 # View and organize the Microsoft Defender for Endpoint Alerts queue
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) 
 The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
 >[!NOTE]
 >The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
 There are several options you can choose from to customize the alerts queue view. 
 On the top navigation you can:
 - Select grouped view or list view
 - Customize columns to add or remove columns 
 - Select the items to show per page
 - Navigate between pages
 - Apply filters
 ![Image of alerts queue](images/alerts-queue-list.png)
 ## Sort, filter, and group the alerts queue
 You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
 ### Severity
 Alert severity | Description
 :---|:---
 High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of  the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
 Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
 Low </br>(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
 Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
 #### Understanding alert severity
 Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes.
 The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.
 The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
 So, for example:
 - The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
 - An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as  "Low" because it may have caused some damage to the individual device but poses no organizational threat.
 - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
 - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
 #### Understanding alert categories
 We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
 The table below lists the current categories and how they generally map to previous categories. 
 | New   category       | API category name   | Detected threat activity or   component                                                                                                 |
 |----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
 | Collection           | Collection          | Locating   and collecting data for exfiltration                                                                                         |
 | Command and control  | CommandAndControl   | Connecting   to attacker-controlled network infrastructure to relay data or receive   commands                                          |
 | Credential access    | CredentialAccess    | Obtaining   valid credentials to extend control over devices and other resources in the   network                                       |
 | Defense evasion      | DefenseEvasion      | Avoiding security controls by, for example, turning off   security apps, deleting implants, and running rootkits                        |
 | Discovery            | Discovery           | Gathering   information about important devices and resources, such as administrator   computers, domain controllers, and file servers  |
 | Execution            | Execution           | Launching   attacker tools and malicious code, including RATs and backdoors                                                             |
 | Exfiltration         | Exfiltration        | Extracting   data from the network to an external, attacker-controlled location                                                         |
 | Exploit              | Exploit             | Exploit   code and possible exploitation activity                                                                                       |
 | Initial access       | InitialAccess       | Gaining   initial entry to the target network, usually involving password-guessing,   exploits, or phishing emails                      |
 | Lateral movement     | LateralMovement     | Moving   between devices in the target network to reach critical resources or gain   network persistence                                |
 | Malware              | Malware             | Backdoors,   trojans, and other types of malicious code                                                                                 |
 | Persistence          | Persistence         | Creating   autostart extensibility points (ASEPs) to remain active and survive system   restarts                                        |
 | Privilege escalation | PrivilegeEscalation | Obtaining   higher permission levels for code by running it in the context of a   privileged process or account                         |
 | Ransomware           | Ransomware          | Malware   that encrypts files and extorts payment to restore access                                                                     |
 | Suspicious activity  | SuspiciousActivity  | Atypical   activity that could be malware activity or part of an attack                                                                 |
 | Unwanted software    | UnwantedSoftware    | Low-reputation   apps and apps that impact productivity and the user experience; detected as   potentially unwanted applications (PUAs) |
 ### Status
 You can choose to limit the list of alerts based on their status.
 ### Investigation state
 Corresponds to the automated investigation state.
 ### Category
 You can choose to filter the queue to display specific types of malicious activity.
 ### Assigned to
 You can choose between showing alerts that are assigned to you or automation.
 ### Detection source
 Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
 >[!NOTE]
 >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
 | Detection source                  | API value                  |
 |-----------------------------------|----------------------------|
 | 3rd party sensors                 | ThirdPartySensors          |
 | Antivirus                         | WindowsDefenderAv          |
 | Automated investigation           | AutomatedInvestigation     |
 | Custom detection                  | CustomDetection            |
 | Custom TI                         | CustomerTI                 |
 | EDR                               | WindowsDefenderAtp         |
 | Microsoft 365 Defender            | MTP                        |
 | Microsoft Defender for Office 365 | OfficeATP                  |
 | Microsoft Threat Experts          | ThreatExperts              |
 | SmartScreen                       | WindowsDefenderSmartScreen |
 ### OS platform
 Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
 ### Device group
 If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view. 
 ### Associated threat
 Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
 ## Related topics
 - [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
 - [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
 - [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
 - [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
 - [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
 - [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
 - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@ -1,214 +0,0 @@
 ---
 title: Get alerts API
 description: Learn about the methods and properties of the Alert resource type in Microsoft Defender for Endpoint.
 keywords: apis, graph api, supported apis, get, alerts, recent
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Alert resource type
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## Methods
 Method |Return Type |Description
 :---|:---|:---
 [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
 [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
 [Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md).
 [Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md).
 [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
 [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
 [List related files](get-alert-related-files-info.md) | [File](files.md) collection |  List the [file](files.md) entities that are associated with the [alert](alerts.md).
 [List related IPs](get-alert-related-ip-info.md) | IP collection | List IPs that are associated with the alert.
 [Get related machines](get-alert-related-machine-info.md) | [Machine](machine.md) | The [machine](machine.md) that is associated with the [alert](alerts.md).
 [Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md).
 ## Properties
 Property |    Type    |    Description
 :---|:---|:---
 id | String | Alert ID.
 title | String | Alert title.
 description | String | Alert description.
 alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
 lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device.
 firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
 lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
 resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
 incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
 investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
 investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
 assignedTo | String | Owner of the alert.
 severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
 status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
 classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
 determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
 category| String | Category of the alert.
 detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
 threatName | String | Threat name.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
 computerDnsName | String | [machine](machine.md) fully qualified name.
 aadTenantId | String | The Azure Active Directory ID.
 detectorId | String | The ID of the detector that triggered the alert.
 comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
 Evidence | List of Alert evidence | Evidence related to the alert. See example below.
 ### Response example for getting single alert:
 ```http
 GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
 ```
 ```json
 {
 	"id": "da637472900382838869_1364969609",
 	"incidentId": 1126093,
 	"investigationId": null,
 	"assignedTo": null,
 	"severity": "Low",
 	"status": "New",
 	"classification": null,
 	"determination": null,
 	"investigationState": "Queued",
 	"detectionSource": "WindowsDefenderAtp",
 	"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
 	"category": "Execution",
 	"threatFamilyName": null,
 	"title": "Low-reputation arbitrary code executed by signed executable",
 	"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
 	"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
 	"firstEventTime": "2021-01-26T20:31:32.9562661Z",
 	"lastEventTime": "2021-01-26T20:31:33.0577322Z",
 	"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 	"resolvedTime": null,
 	"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
 	"computerDnsName": "temp123.middleeast.corp.microsoft.com",
 	"rbacGroupName": "A",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 	"threatName": null,
 	"mitreTechniques": [
 		"T1064",
 		"T1085",
 		"T1220"
 	],
 	"relatedUser": {
        "userName": "temp123",
        "domainName": "MIDDLEEAST"
    },
 	"comments": [
 		{
 			"comment": "test comment for docs",
 			"createdBy": "secop123@contoso.com",
 			"createdTime": "2021-01-26T01:00:37.8404534Z"
 		}
 	],
 	"evidence": [
 		{
 			"entityType": "User",
 			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 			"sha1": null,
 			"sha256": null,
 			"fileName": null,
 			"filePath": null,
 			"processId": null,
 			"processCommandLine": null,
 			"processCreationTime": null,
 			"parentProcessId": null,
 			"parentProcessCreationTime": null,
 			"parentProcessFileName": null,
 			"parentProcessFilePath": null,
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": "eranb",
 			"domainName": "MIDDLEEAST",
 			"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
 			"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
 			"userPrincipalName": "temp123@microsoft.com",
 			"detectionStatus": null
 		},
 		{
 			"entityType": "Process",
 			"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
 			"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
 			"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
 			"fileName": "rundll32.exe",
 			"filePath": "C:\\Windows\\SysWOW64",
 			"processId": 3276,
 			"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
 			"processCreationTime": "2021-01-26T20:31:32.9581596Z",
 			"parentProcessId": 8420,
 			"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
 			"parentProcessFileName": "rundll32.exe",
 			"parentProcessFilePath": "C:\\Windows\\System32",
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": null,
 			"domainName": null,
 			"userSid": null,
 			"aadUserId": null,
 			"userPrincipalName": null,
 			"detectionStatus": "Detected"
 		},
 		{
 			"entityType": "File",
 			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 			"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
 			"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
 			"fileName": "suspicious.dll",
 			"filePath": "c:\\temp",
 			"processId": null,
 			"processCommandLine": null,
 			"processCreationTime": null,
 			"parentProcessId": null,
 			"parentProcessCreationTime": null,
 			"parentProcessFileName": null,
 			"parentProcessFilePath": null,
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": null,
 			"domainName": null,
 			"userSid": null,
 			"aadUserId": null,
 			"userPrincipalName": null,
 			"detectionStatus": "Detected"
 		}
 	]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@ -1,62 +0,0 @@
 ---
 title: Configure Microsoft Defender ATP for Android features
 ms.reviewer: 
 description: Describes how to configure Microsoft Defender ATP for Android
 keywords: microsoft, defender, atp, android, configuration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Configure Defender for Endpoint for Android features
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platform**
 - Android
 ## Conditional Access with Defender for Endpoint for Android  
 Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active
 Directory enables enforcing Device compliance and Conditional Access policies
 based on device risk levels. Defender for Endpoint is a Mobile Threat Defense
 (MTD) solution that you can deploy to leverage this capability via Intune.
 For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and
 Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
 ## Configure custom indicators  
 >[!NOTE]
 > Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains.
 Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
 ## Configure web protection
 Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
 >[!NOTE]
 > Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. 
 For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
 ## Related topics
 - [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
 - [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@ -1,318 +0,0 @@
 ---
 title: Deploy Microsoft Defender ATP for Android with Microsoft Intune
 ms.reviewer: 
 description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune
 keywords: microsoft, defender, atp, android, installation, deploy, uninstallation,
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platform**
 - Android
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 Learn how to deploy Defender for Endpoint for Android on Intune
 Company Portal enrolled devices. For more information about Intune device enrollment, see  [Enroll your
 device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
 > [!NOTE]
 > **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
 > You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes.
  Updates to the app are automatic via Google Play.
 ## Deploy on Device Administrator enrolled devices
 **Deploy Defender for Endpoint for Android on Intune Company Portal - Device
 Administrator enrolled devices**
 Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. 
 ### Add as Android store app
 1. In [Microsoft Endpoint Manager admin
 center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
 **Android Apps** \> **Add \> Android store app** and choose **Select**.
   ![Image of Microsoft Endpoint Manager Admin Center add android store application](images/mda-addandroidstoreapp.png)
 2. On the **Add app** page and in the *App Information* section enter: 
   - **Name** 
   - **Description**
   - **Publisher** as Microsoft.
   - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) 
   Other fields are optional. Select **Next**.
   ![Image of Microsoft Endpoint Manager Admin Center add app info](images/mda-addappinfo.png)
 3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
    >[!NOTE]
    >The selected user group should consist of Intune enrolled users.
    > [!div class="mx-imgBorder"]
    > ![Image of the Microsoft Endpoint Manager Admin Center selected user groups](images/363bf30f7d69a94db578e8af0ddd044b.png)
 4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
    In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
    ![Image of Microsoft Endpoint Manager Admin Center notification of defender endpoint app](images/86cbe56f88bb6e93e9c63303397fc24f.png)
 5. In the app information page that is displayed, in the **Monitor** section,
 select **Device install status** to verify that the device installation has
 completed successfully.
    > [!div class="mx-imgBorder"]
    > ![Image of Microsoft Endpoint Manager Admin Center device install](images/513cf5d59eaaef5d2b5bc122715b5844.png)
 ### Complete onboarding and check status
 1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon.
    ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
 2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
 to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android.
 3. Upon successful onboarding, the device will start showing up on the Devices
 list in Microsoft Defender Security Center.
    ![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
 ## Deploy on Android Enterprise enrolled devices
 Defender for Endpoint for Android supports Android Enterprise enrolled devices.
 For more information on the enrollment options supported by Intune, see 
 [Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
 **Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
 ## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app
 Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.
 1. In [Microsoft Endpoint Manager admin
 center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
 **Android Apps** \> **Add** and select **Managed Google Play app**.
    > [!div class="mx-imgBorder"]
    > ![Image of Microsoft Endpoint Manager admin center managed google play](images/579ff59f31f599414cedf63051628b2e.png)
 2. On your managed Google Play page that loads subsequently, go to the search
 box and lookup **Microsoft Defender.** Your search should display the Microsoft
 Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
    ![Image of Microsoft Endpoint Manager admin center Apps search](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
 3. In the App description page that comes up next, you should be able to see app
 details on Defender for Endpoint. Review the information on the page and then
 select **Approve**.
    > [!div class="mx-imgBorder"]
    > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
 4. You'll be presented with the permissions that Defender for Endpoint
 obtains for it to work. Review them and then select **Approve**.
    ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
 5. You'll be presented with the Approval settings page. The page confirms
 your preference to handle new app permissions that Defender for Endpoint for
 Android might ask. Review the choices and select your preferred option. Select
 **Done**.
    By default, managed Google Play selects *Keep approved when app requests new
 permissions*
    > [!div class="mx-imgBorder"]
    > ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png)
 6. After the permissions handling selection is made, select **Sync** to sync Microsoft 
 Defender for Endpoint to your apps list.
    > [!div class="mx-imgBorder"]
    > ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png)
 7. The sync will complete in a few minutes.
    ![Image of Android app](images/9fc07ffc150171f169dc6e57fe6f1c74.png)
 8. Select the **Refresh** button in the Android apps screen and Microsoft
 Defender ATP should be visible in the apps list.
    > [!div class="mx-imgBorder"]
    > ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png)
 9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
    1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
       ![Image of Microsoft Endpoint Manager admin center android managed devices](images/android-mem.png)
    1. In the **Create app configuration policy** page, enter the following details:
        - Name: Microsoft Defender ATP.
        - Choose **Android Enterprise** as platform.
        - Choose **Work Profile only** as Profile Type.
        - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
        > [!div class="mx-imgBorder"]
        > ![Image of create app configuration policy page](images/android-create-app.png)
    1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
       - External storage (read)
       - External storage (write)
       Then select **OK**.
       > [!div class="mx-imgBorder"]
      > ![Image of android create app configuration policy](images/android-create-app-config.png)
    1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
       > [!div class="mx-imgBorder"]
       > ![Image of android auto grant create app configuration policy](images/android-auto-grant.png)
    1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**.  The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. 
       > [!div class="mx-imgBorder"]
       > ![Image of the create app configuration policy](images/android-select-group.png)
     1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
        The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
        > [!div class="mx-imgBorder"]
        > ![Image of android review create app config policy](images/android-review-create.png)
 10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
 **Assignments** \> **Edit**.
    ![Image of list of apps](images/mda-properties.png)
 11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
 the device via Company Portal app. This assignment can be done by navigating to
 the *Required* section \> **Add group,** selecting the user group and click
 **Select**.
    > [!div class="mx-imgBorder"]
    > ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png)
 12. In the **Edit Application** page, review all the information that was entered
 above. Then select **Review + Save** and then **Save** again to commence
 assignment.
 ### Auto Setup of Always-on VPN 
 Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.
 1.	On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
 Select **Device restrictions** under one of the following, based on your device enrollment type 
 - **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
 - **Personally owned Work Profile**
 Select **Create**.
   > ![Image of devices configuration profile Create](images/1autosetupofvpn.png)
 2. **Configuration Settings** 
  Provide a **Name** and a **Description** to uniquely identify the configuration profile. 
   > ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png)
 3. Select **Connectivity** and configure VPN:
 - Enable **Always-on VPN** 
 Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. 
 - Select **Custom** in VPN client dropdown list
 Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. 
    > [!NOTE]
    > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN.
 - Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**  
 - **Lockdown mode** Not configured (Default) 
     ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png)
 4. **Assignment** 
 In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. 
     ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png)
 5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. 
 The device configuration profile is now assigned to the selected user group.    
    ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png)
 ## Complete onboarding and check status
 1. Confirm the installation status of Microsoft Defender for Endpoint for Android by
 clicking on the **Device Install Status**. Verify that the device is
 displayed here.
    > [!div class="mx-imgBorder"]
    > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
 2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**.  If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
    ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
 3. When the app is installed, open the app and accept the permissions
 and then your onboarding should be successful.
    ![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png)
 4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security
 Center](https://securitycenter.microsoft.com)
 by navigating to the **Devices** page.
    ![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
 ## Related topics
 - [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
 - [Configure Microsoft Defender for Endpoint for Android features](android-configure.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
@ -1,116 +0,0 @@
 ---
 title: Microsoft Defender ATP for Android - Privacy information
 description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
 keywords: microsoft, defender, atp, android, privacy, diagnostic
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 #  Microsoft Defender for Endpoint for Android - Privacy information
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platform**
 - Android
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 Defender for Endpoint for Android collects information from your configured
 Android devices and stores it in the same tenant where you have Defender for Endpoint.
 Information is collected to help keep Defender for Endpoint for Android secure,
 up-to-date, performing as expected and to support the service.
 ## Required Data 
 Required data consists of data that is necessary to make Defender for Endpoint
 for Android work as expected. This data is essential to the operation of the
 service and can include data related to the end user, organization, device, and
 apps. Here's a list of the types of data being collected:
 ### App information
 Information about Android application packages (APKs) on the device including
 - Install source
 - Storage location (file path) of the APK
 - Time of install, size of APK and permissions
 ### Web page / Network information
 - Full URL (on supported browsers), when clicked
 - Connection information
 - Protocol type (such as HTTP, HTTPS, etc.)
 ### Device and account information
 - Device information such as date & time, Android version, OEM model, CPU
        info, and Device identifier
 - Device identifier is one of the below:
    - Wi-Fi adapter MAC address
    - [Android
            ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
            (as generated by Android at the time of first boot of the device)
    - Randomly generated globally unique identifier (GUID)
 - Tenant, Device and User information
    -   Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
            identifies the device, User respectively at Azure Active directory.
    -   Azure tenant ID - GUID that identifies your organization within
            Azure Active Directory
    -   Microsoft Defender ATP org ID - Unique identifier associated with
            the enterprise that the device belongs to. Allows Microsoft to
            identify whether issues are impacting a select set of enterprises
            and how many enterprises are impacted 
    -   User Principal Name – Email ID of the user
 ### Product and service usage data
 -   App package info, including name, version, and app upgrade status
 -   Actions performed in the app
 -   Threat detection information, such as threat name, category, etc.
 -   Crash report logs generated by Android
 ## Optional Data
 Optional data includes diagnostic data and feedback data. Optional diagnostic
 data is additional data that helps us make product improvements and provides
 enhanced information to help us detect, diagnose, and fix issues. Optional
 diagnostic data includes:
 -   App, CPU, and network usage
 -   State of the device from the app perspective, including scan status, scan
    timings, app permissions granted, and upgrade status
 -   Features configured by the admin
 -   Basic information about the browsers on the device
 **Feedback Data** is collected through in-app feedback provided by the user
 -   The user’s email address, if they choose to provide it
 -   Feedback type (smile, frown, idea) and any feedback comments submitted by
    the user
--- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
@ -1,106 +0,0 @@
 ---
 title: Troubleshoot issues on Microsoft Defender ATP for Android
 ms.reviewer: 
 description: Troubleshoot issues for Microsoft Defender ATP for Android
 keywords: microsoft, defender, atp, android, cloud, connectivity, communication
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Troubleshooting issues on Microsoft Defender for Endpoint for Android
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platform**
 - Android
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 When onboarding a device, you might see sign in issues after the app is installed. 
 During onboarding, you might encounter sign in issues after the app is installed on your device. 
 This article provides solutions to help address the sign-on issues.  
 ## Sign in failed - unexpected error
 **Sign in failed:** *Unexpected error, try later*
 ![Image of sign in failed error Unexpected error](images/f9c3bad127d636c1f150d79814f35d4c.png)
 **Message:**
 Unexpected error, try later
 **Cause:**
 You have an older version of "Microsoft Authenticator" app installed on your
 device.
 **Solution:**
 Install latest version and of [Microsoft
 Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator)
 from Google Play Store and try again
 ## Sign in failed - invalid license
 **Sign in failed:** *Invalid license, please contact administrator*
 ![Image of sign in failed  please contact administrator](images/920e433f440fa1d3d298e6a2a43d4811.png)
 **Message:** *Invalid license, please contact administrator*
 **Cause:**
 You do not have Microsoft 365 license assigned, or your organization does not have a license for Microsoft 365 Enterprise subscription.
 **Solution:**
 Contact your administrator for help.
 ## Phishing pages aren't blocked on some OEM devices
 **Applies to:** Specific OEMs only
 -   **Xiaomi**
 Phishing and harmful web threats that are detected by Defender for Endpoint
 for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices.
 ![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png)
 **Cause:**
 Xiaomi devices include a new permission model. This prevents Defender for Endpoint
 for Android from displaying pop-up windows while it runs in the background.
 Xiaomi devices permission: "Display pop-up windows while running in the
 background."
 ![Image of pop up setting](images/6e48e7b29daf50afddcc6c8c7d59fd64.png)
 **Solution:**
 Enable the required permission on Xiaomi devices.
 -   Display pop-up windows while running in the background.
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@ -1,227 +0,0 @@
 ---
 title: Microsoft Defender ATP for Android Application license terms
 ms.reviewer: 
 description: Describes the Microsoft Defender ATP for Android license terms
 keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope,
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 hideEdit: true
 ms.technology: mde
 ---
 # Microsoft Defender for Endpoint for Android application license terms
 ## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
 These license terms ("Terms") are an agreement between Microsoft Corporation (or
 based on where you live, one of its affiliates) and you. Please read them. They
 apply to the application named above. These Terms also apply to any Microsoft
 -   updates,
 -   supplements,
 -   Internet-based services, and
 -   support services
 for this application, unless other terms accompany those items. If so, those
 terms apply.
 **BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
 DO NOT USE THE APPLICATION.**
 **If you comply with these Terms, you have the perpetual rights below.**
 1.  **INSTALLATION AND USE RIGHTS.**
    1.  **Installation and Use.** You may install and use any number of copies
        of this application on Android enabled device or devices that you own
        or control. You may use this application with your company's valid
        subscription of Microsoft Defender for Endpoint or
        an online service that includes Microsoft Defender for Endpoint functionalities.
    2.  **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full
        functionality. Some functionality may not be available in all countries.
    3.  **Third-Party Programs.** The application may include third-party
        programs that Microsoft, not the third party, licenses to you under this
        agreement. Notices, if any, for the third-party program are included for
        your information only.
 2.  **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
    Internet access, data transfer, and other services per the terms of the data
    service plan and any other agreement you have with your network operator due
    to use of the application. You are solely responsible for any network
    operator charges.
 3.  **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
    the application. It may change or cancel them at any time.
    1.  Consent for Internet-Based or Wireless Services. The application may
        connect to Internet-based wireless services. Your use of the application
        operates as your consent to the transmission of standard device
        information (including but not limited to technical information about
        your device, system and application software, and peripherals) for
        Internet-based or wireless services. If other terms are provided in
        connection with your use of the services, those terms also apply.
        -   Data. Some online services require, or may be enhanced by, the
            installation of local software like this one. At your, or your
            admin's direction, this software may send data from a device to or
            from an online service.
        -   Usage Data. Microsoft automatically collects usage and performance
            data over the internet. This data will be used to provide and
            improve Microsoft products and services and enhance your experience.
            You may limit or control collection of some usage and performance
            data through your device settings. Doing so may disrupt your use of
            certain features of the application. For more information about
            Microsoft data collection and use, see the [Online Services
            Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
    2.  Misuse of Internet-based Services. You may not use any Internet-based
        service in any way that could harm it or impair anyone else's use of it
        or the wireless network. You may not use the service to try to gain
        unauthorized access to any service, data, account, or network by any
        means.
 4.  **FEEDBACK.** If you give feedback about the application to Microsoft, you
    give to Microsoft, without charge, the right to use, share, and commercialize
    your feedback in any way and for any purpose. You also give to third
    parties, without charge, any patent rights needed for their products,
    technologies, and services to use or interface with any specific parts of a
    Microsoft software or service that includes the feedback. You will not give
    feedback that is subject to a license that requires Microsoft to license its
    software or documentation to third parties because we include your feedback
    in them. These rights survive this agreement.
 5.  **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
    only gives you some rights to use the application. Microsoft reserves all
    other rights. Unless applicable law gives you more rights despite this
    limitation, you may use the application only as expressly permitted in this
    agreement. In doing so, you must comply with any technical limitations in
    the application that only allow you to use it in certain ways. You may not
    -   work around any technical limitations in the application;
    -   reverse engineer, decompile or disassemble the application, except and
        only to the extent that applicable law expressly permits, despite this
        limitation;
    -   make more copies of the application than specified in this agreement or
        allowed by applicable law, despite this limitation;
    -   publish the application for others to copy;
    -   rent, lease, or lend the application; or
    -   transfer the application or this agreement to any third party.
 6.  **EXPORT RESTRICTIONS.** The application is subject to United States export
    laws and regulations. You must comply with all domestic and international
    export laws and regulations that apply to the application. These laws
    include restrictions on destinations, end users, and end use. For more
    information,
    see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
 7.  **SUPPORT SERVICES.** Because this application is "as is," we may not
    provide support services for it. If you have any issues or questions about
    your use of this application, including questions about your company's
    privacy policy, contact your company's admin. Do not contact the
    application store, your network operator, device manufacturer, or Microsoft.
    The application store provider has no obligation to furnish support or
    maintenance with respect to the application.
 8.  **APPLICATION STORE.**
    1.  If you obtain the application through an application store (for example, Google
        Play), review the applicable application store terms to ensure
        your download and use of the application complies with such terms.
        Note that these Terms are between you and Microsoft and not with
        the application store.
    2.  The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
        Terms, the application store provider(s) will have the right to directly
        enforce and rely upon any provision of these Terms that grants them a
        benefit or rights.
 9.  **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
    Microsoft 365 are registered or common-law trademarks of Microsoft
    Corporation in the United States and/or other countries.
 10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
    Internet-based services, and support services that you use are the entire
    agreement for the application and support services.
 11. **APPLICABLE LAW.**
    1.  **United States.** If you acquired the application in the United States,
        Washington state law governs the interpretation of this agreement and
        applies to claims for breach of it, regardless of conflict of laws
        principles. The laws of the state where you live govern all other
        claims, including claims under state consumer protection laws, unfair
        competition laws, and in tort.
    2.  **Outside the United States.** If you acquired the application in any
        other country, the laws of that country apply.
 12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
    have other rights under the laws of your country. You may also have rights
    with respect to the party from whom you acquired the application. This
    agreement does not change your rights under the laws of your country if the
    laws of your country do not permit it to do so.
 13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
    FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
    WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
    EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
    EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
    APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
    APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
    ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
    CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
    THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
    IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
    NON-INFRINGEMENT.**
    **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
 14.  **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
    PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
    ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
    DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
    INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
 This limitation applies to:
 -   anything related to the application, services, content (including code) on
    third-party internet sites, or third-party programs; and
 -   claims for breach of contract, warranty, guarantee, or condition; consumer
    protection; deception; unfair competition; strict liability, negligence,
    misrepresentation, omission, trespass, or other tort; violation of statute or
    regulation; or unjust enrichment; all to the extent permitted by applicable
    law.
 It also applies even if:
 a.  Repair, replacement, or refund for the application does not fully compensate
    you for any losses; or
 b.  Covered Parties knew or should have known about the possibility of the
    damages.
 The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
@ -1,68 +0,0 @@
 ---
 title: API Explorer in Microsoft Defender ATP
 ms.reviewer: 
 description: Use the API Explorer to construct and do API queries, test, and send requests for any available API
 keywords: api, explorer, send, request, get, post,
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 # API Explorer
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively. 
 The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
 The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
 You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
 With the API Explorer, you can:
 - Run requests for any method and see responses in real-time
 - Quickly browse through the API samples and learn what parameters they support
 - Make API calls with ease; no need to authenticate beyond the management portal sign in
 ## Access API Explorer
 From the left navigation menu, select **Partners & APIs** > **API Explorer**.
 ## Supported APIs
 API Explorer supports all the APIs offered by Defender for Endpoint.
 The list of supported APIs is available in the [APIs documentation](apis-intro.md). 
 ## Get started with the API Explorer
 1. In the left pane, there is a list of sample requests that you can use. 
 2. Follow the links and click **Run query**. 
 Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
 ## FAQ
 **Do I need to have an API token to use the API Explorer?** <br>
 Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request.
 The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
 Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role. 
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@ -1,189 +0,0 @@
 ---
 title: Hello World for Microsoft Defender for Endpoint API
 ms.reviewer: 
 description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint (Microsoft Defender ATP) API.
 keywords: apis, supported apis, advanced hunting, query
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Microsoft Defender for Endpoint API - Hello World 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:** 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## Get Alerts using a simple PowerShell script
 ### How long it takes to go through this example?
 It only takes 5 minutes done in two steps:
 - Application registration
 - Use examples: only requires copy/paste of a short PowerShell script
 ### Do I need a permission to connect?
 For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant.
 ### Step 1 - Create an App in Azure Active Directory
 1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. 
   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
 3. In the registration form, choose a name for your application and then click **Register**.
 4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:
   - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
   - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
   ![Image of API access and API selection1](images/add-permission.png)
   - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
   ![Image of API access and API selection2](images/application-permissions.png)
   **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
     For instance,
     - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
     - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
     - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
 5. Click **Grant consent**
 	- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
 	![Image of Grant permissions](images/grant-consent.png)
 6. Add a secret to the application.
 	- Click **Certificates & secrets**, add description to the secret and click **Add**.
    **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
    ![Image of create app key](images/webapp-create-key2.png)
 7. Write down your application ID and your tenant ID:
   - On your application page, go to **Overview** and copy the following:
   ![Image of created app id](images/app-and-tenant-ids.png)
 Done! You have successfully registered an application!
 ### Step 2 - Get a token using the App and use this token to access the API.
 -   Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
 -   Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
 ```
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
 # Paste below your Tenant ID, App ID and App Secret (App key).
 $tenantId = '' ### Paste your tenant ID here
 $appId = '' ### Paste your Application ID here
 $appSecret = '' ### Paste your Application secret here
 $resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
 $oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
    resource = "$resourceAppIdUri"
    client_id = "$appId"
    client_secret = "$appSecret"
    grant_type = 'client_credentials'
 }
 $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
 $token = $authResponse.access_token
 Out-File -FilePath "./Latest-token.txt" -InputObject $token
 return $token
 ```
 -   Sanity Check:<br>
 Run the script.<br>
 In your browser go to: https://jwt.ms/ <br>
 Copy the token (the content of the Latest-token.txt file).<br>
 Paste in the top box.<br>
 Look for the "roles" section. Find the Alert.Read.All role.
 ![Image jwt.ms](images/api-jwt-ms.png)
 ### Lets get the Alerts!
 -   The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
 -   Save this script in the same folder you saved the previous script **Get-Token.ps1**. 
 -   The script creates two files (json and csv) with the data in the same folder as the scripts.
 ```
 # Returns Alerts created in the past 48 hours.
 $token = ./Get-Token.ps1       #run the script Get-Token.ps1  - make sure you are running this script from the same folder of Get-Token.ps1
 # Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
 $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")       
 # The URL contains the type of query and the time filter we create above
 # Read more about other query options and filters at   Https://TBD- add the documentation link
 $url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
 # Set the WebRequest headers
 $headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $token" 
 }
 # Send the webrequest and get the results. 
 $response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
 # Extract the alerts from the results. 
 $alerts =  ($response | ConvertFrom-Json).value | ConvertTo-Json
 # Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
 $dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}    
 # Save the result as json and as csv
 $outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"     
 $outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
 Out-File -FilePath $outputJsonPath -InputObject $alerts
 ($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation 
 ```
 You’re all done! You have just successfully:
 -   Created and registered and application
 -   Granted permission for that application to read alerts
 -   Connected the API
 -   Used a PowerShell script to return alerts created in the past 48 hours
 ## Related topic
 - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
 - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
 - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@ -1,89 +0,0 @@
 ---
 title: Microsoft Defender ATP Flow connector
 ms.reviewer: 
 description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
 keywords: flow, supported apis, api, Microsoft flow, query, automation
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
 Microsoft Defender API has an official Flow Connector with many capabilities.
 ![Image of edit credentials1](images/api-flow-0.png)
 > [!NOTE]
 > For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](https://docs.microsoft.com/power-automate/triggers-introduction#licensing-for-premium-connectors).
 ## Usage example
 The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
 1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
 2. Go to **My flows** > **New** > **Automated-from blank**.
    ![Image of edit credentials2](images/api-flow-1.png)
 3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
    ![Image of edit credentials3](images/api-flow-2.png)
 Now you have a Flow that is triggered every time a new Alert occurs.
 ![Image of edit credentials4](images/api-flow-3.png)
 All you need to do now is choose your next steps.
 For example, you can isolate the device if the Severity of the Alert is High and send an email about it.
 The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
 ### Get the Alert entity using the connector
 1. Choose **Microsoft Defender ATP** for the new step.
 2. Choose **Alerts - Get single alert API**.
 3. Set the **Alert ID** from the last step as **Input**.
    ![Image of edit credentials5](images/api-flow-4.png)
 ### Isolate the device if the Alert's severity is High
 1. Add **Condition** as a new step.
 2. Check if the Alert severity **is equal to** High.
   If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
    ![Image of edit credentials6](images/api-flow-5.png)
 3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
 4. Save your flow.
 You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
 ## Related topic
 - [Microsoft Defender for Endpoint APIs](apis-intro.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -1,102 +0,0 @@
 ---
 title: Microsoft Defender ATP detections API fields
 description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
 keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Microsoft Defender for Endpoint detections API fields
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
 Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
 >[!Note]
 >- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
 >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
 >- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 ## Detections API fields and portal mapping
 The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
 The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
 Field numbers match the numbers in the images below.
 > [!div class="mx-tableFixed"]
 > 
 > | Portal   label   | SIEM field name           | ArcSight field      | Example value                                                                      | Description                                                                                                                                                                    |
 > |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 > | 1                | AlertTitle                | name                | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection.                                                                                                                                               |
 > | 2                | Severity                  | deviceSeverity      | High                                                                             | Value available for every Detection.                                                                                                                                               |
 > | 3                | Category                  | deviceEventCategory | Malware                                                               | Value available for every Detection.                                                                                                                                               |
 > | 4                | Detection source                    | sourceServiceName   | Antivirus                                                                 | Microsoft Defender Antivirus or  Defender for Endpoint. Value available for every Detection.                                                                                         |
 > | 5                | MachineName               | sourceHostName      | desktop-4a5ngd6                                                                           | Value available for every Detection.                                                                                                                                               |
 > | 6                | FileName                  | fileName            | Robocopy.exe                                                                       | Available for detections associated   with a file or process.                                                                                                                      |
 > | 7                | FilePath                  | filePath            | C:\Windows\System32\Robocopy.exe                                                   | Available for detections associated   with a file or process.                                                                                                                     |
 > | 8                | UserDomain                | sourceNtDomain      | CONTOSO                                                                            | The domain of the user context   running the activity, available for Defender for Endpoint behavioral based detections.                                                           |
 > | 9                | UserName                  | sourceUserName      | liz.bean                                                                           | The user context running the   activity, available for Defender for Endpoint behavioral based detections.                                                                           |
 > | 10               | Sha1                      | fileHash            | 3da065e07b990034e9db7842167f70b63aa5329                                           | Available for detections associated   with a file or process.                                                                                                                      |
 > | 11               | Sha256                    | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5                   | Available for Microsoft Defender AV detections.                                                                                                                                    |
 > | 12               | Md5                       | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21                                                   | Available for Microsoft Defender AV detections.                                                                                                                                    |
 > | 13               | ThreatName                | deviceCustomString1  | HackTool:Win32/Mikatz!dha                                                         | Available for Microsoft Defender AV detections.                                                                                                                                    |
 > | 14               | IpAddress                 | sourceAddress       | 218.90.204.141                                                                     | Available for detections associated   to network events. For example, 'Communication to a malicious network   destination'.                                                        |
 > | 15               | Url                       | requestUrl          | down.esales360.cn                                                                  | Available for detections associated to   network events. For example, 'Communication to a malicious network   destination'.                                                         |
 > | 16               | RemediationIsSuccess      | deviceCustomNumber2 | TRUE                                                                               | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
 > | 17               | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE                                                                              | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
 > | 18               | AlertId                   | externalId          | 636210704265059241_673569822                                                       | Value available for every Detection.                                                                                                                                               |
 > | 19               | LinkToWDATP               | flexString1         | `https://securitycenter.windows.com/alert/636210704265059241_673569822`            | Value available for every Detection.                                                                                                                                               |
 > | 20               | AlertTime                 | deviceReceiptTime   | 2017-05-07T01:56:59.3191352Z                                                       | The time the event occurred. Value available for every Detection.                                                                                       |
 > | 21               | MachineDomain             | sourceDnsDomain     | contoso.com                                                                        | Domain name not relevant for AAD   joined devices. Value available for every Detection.                                                                                           |
 > | 22               | Actor                     | deviceCustomString4 | BORON                                                                                   | Available for alerts related to a   known actor group.                                                                                                                         |
 > | 21+5             | ComputerDnsName           | No mapping          | liz-bean.contoso.com                                                               | The device fully qualified   domain name. Value available for every Detection.                                                                                                    |
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For devices on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
 > |                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
 | | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
 | | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 | | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 > | Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.                         |
 > |                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
 > |                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
 > |                  | Not part of the schema    | deviceVersion       |                                                                                    | Static value in the ArcSight   mapping - '2.0', used to identify the mapping versions.                                                                                         
 ![Image of alert with numbers](images/atp-alert-page.png)
 ![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
 ![Image of artifact timeline with numbers1](images/atp-siem-mapping3.png)
 ![Image of artifact timeline with numbers2](images/atp-siem-mapping4.png)
 ![Image machine view](images/atp-mapping6.png)
 ![Image browser URL](images/atp-mapping5.png)
 ![Image actor alert](images/atp-mapping7.png)
 ## Related topics
 - [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
 - [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)
 - [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@ -1,143 +0,0 @@
 ---
 title: Microsoft Defender ATP APIs connection to Power BI
 ms.reviewer: 
 description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender for Endpoint APIs.
 keywords: apis, supported apis, Power BI, reports
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Create custom reports using Power BI
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 In this section you will learn create a Power BI report on top of Defender for Endpoint APIs.
 The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
 ## Connect Power BI to Advanced Hunting API
 - Open Microsoft Power BI
 - Click **Get Data** > **Blank Query**
    ![Image of create blank query](images/power-bi-create-blank-query.png)
 - Click **Advanced Editor**
    ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
 - Copy the below and paste it in the editor:
 ```
 	let 
 		AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20",
 		HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries",
 		Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
 		TypeMap = #table(
 			{ "Type", "PowerBiType" },
 			{
 				{ "Double",   Double.Type },
 				{ "Int64",    Int64.Type },
 				{ "Int32",    Int32.Type },
 				{ "Int16",    Int16.Type },
 				{ "UInt64",   Number.Type },
 				{ "UInt32",   Number.Type },
 				{ "UInt16",   Number.Type },
 				{ "Byte",     Byte.Type },
 				{ "Single",   Single.Type },
 				{ "Decimal",  Decimal.Type },
 				{ "TimeSpan", Duration.Type },
 				{ "DateTime", DateTimeZone.Type },
 				{ "String",   Text.Type },
 				{ "Boolean",  Logical.Type },
 				{ "SByte",    Logical.Type },
 				{ "Guid",     Text.Type }
 			}),
 		Schema = Table.FromRecords(Response[Schema]),
 		TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
 		Results = Response[Results],
 		Rows = Table.FromRecords(Results, Schema[Name]),
 		Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
 	in Table
 ```
 - Click **Done**
 - Click **Edit Credentials**
    ![Image of edit credentials0](images/power-bi-edit-credentials.png)
 - Select **Organizational account** > **Sign in**
    ![Image of set credentials1](images/power-bi-set-credentials-organizational.png)
 - Enter your credentials and wait to be signed in
 - Click **Connect**
    ![Image of set credentials2](images/power-bi-set-credentials-organizational-cont.png)
 - Now the results of your query will appear as table and you can start build visualizations on top of it!
 - You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
 ## Connect Power BI to OData APIs
 - The only difference from the above example is the query inside the editor. 
 - Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
 ```
 	let
 		Query = "MachineActions",
 		Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
 	in
 		Source
 ```
 - You can do the same for **Alerts** and **Machines**.
 - You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
 ## Power BI dashboard samples in GitHub
 For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
 ## Sample reports
 View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
 ## Related topic
 - [Defender for Endpoint APIs](apis-intro.md)
 - [Advanced Hunting API](run-advanced-query-api.md)
 - [Using OData Queries](exposed-apis-odata-samples.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@ -1,88 +0,0 @@
 ---
 title: Microsoft Defender for Endpoint API release notes
 description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.
 keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Microsoft Defender for Endpoint API release notes
 **Applies to:** 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.
 > [!TIP]
 > RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: 
 >```
 >https://docs.microsoft.com/api/search/rss?search=%22Release+notes+for+updates+made+to+the+Microsoft+Defender+for+Endpoint+set+of+APIs%22&locale=en-us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Windows+10%27%29
 >```
 ### 10.02.2021
 <hr>
 - Added new API: [Batch update alerts](batch-update-alerts.md). 
 <br>
 ### 25.01.2021
 <hr>
 - Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute. 
 <br>
 ### 21.01.2021
 <hr>
 - Added new API: [Find devices by tag](machine-tags.md). 
 - Added new API: [Import Indicators](import-ti-indicators.md). 
 <br>
 ### 03.01.2021
 <hr>
 - Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
 - Updated [Alert entity](alerts.md): added ***detectorId*** property.
 <br>
 ### 15.12.2020
 <hr>
 - Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
 <br>
 ### 04.11.2020
 <hr>
 - Added new API: [Set device value](set-device-value.md).
 - Updated [Device](machine.md) entity: added ***deviceValue*** property.
 <br>
 ### 01.09.2020
 <hr>
 - Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
 <br>
 <br>
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@ -1,46 +0,0 @@
 ---
 title: Microsoft Defender ATP API license and terms of use
 description: Description of the license and terms of use for Microsoft Defender APIs
 keywords: license, terms, apis, legal, notices, code of conduct
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Microsoft Defender for Endpoint API license and terms of use
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 ## APIs
 Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
 ### Throttling limits
 Name | Calls | Renewal period 
 :---|:---|:---
 API calls per connection | 100 | 60 seconds
 ## Legal Notices
 Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
 Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
 Privacy information can be found at https://privacy.microsoft.com/en-us/
 Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@ -1,75 +0,0 @@
 ---
 title: Access the Microsoft Defender for Endpoint APIs
 ms.reviewer: 
 description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
 keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Access the Microsoft Defender for Endpoint APIs 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 Watch this video for a quick overview of Defender for Endpoint's APIs. 
 >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
 In general, you’ll need to take the following steps to use the APIs:
 - Create an AAD application
 - Get an access token using this application
 - Use the token to access Defender for Endpoint API
 You can access Defender for Endpoint API with **Application Context** or **User Context**.
 - **Application Context: (Recommended)** <br>
    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
 	Steps that need to be taken to access Defender for Endpoint API with application context:
  1. Create an AAD Web-Application.
  2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 
  3. Create a key for this Application.
  4. Get token using the application with its key.
  5. Use the token to access Microsoft Defender ATP API
     For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
 - **User Context:** <br>
    Used to perform actions in the API on behalf of a user.
 	Steps to take to access Defender for Endpoint API with application context:
  1. Create AAD Native-Application.
  2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 
  3. Get token using the application with user credentials.
  4. Use the token to access Microsoft Defender ATP API
     For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
 ## Related topics
 - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
 - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
 - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@ -1,51 +0,0 @@
 ---
 title: Assign user access to Microsoft Defender Security Center
 description: Assign read and write or read only access to the Microsoft Defender for Endpoint portal.
 keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 11/28/2018
 ms.technology: mde
 ---
 # Assign user access to Microsoft Defender Security Center
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - Azure Active Directory
 - Office 365
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 Defender for Endpoint supports two ways to manage permissions:
 - **Basic permissions management**: Set permissions to either full access or read-only.
 - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
 > [!NOTE]
 > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
 > 
 > - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.  Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC. 
 > - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
 > - After switching to RBAC, you will not be able to switch back to using basic permissions management.
 ## Related topics
 - [Use basic permissions to access the portal](basic-permissions.md)
 - [Manage portal access using RBAC](rbac.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@ -1,71 +0,0 @@
 ---
 title: Experience Microsoft Defender ATP through simulated attacks
 description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
 keywords: wdatp, test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 11/20/2018
 ms.technology: mde
 ---
 # Experience Microsoft Defender for Endpoint through simulated attacks 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
 >[!TIP]
 >- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
 >- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
 You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
 ## Before you begin
 To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md). 
 Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
 ## Run a simulation
 1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
   - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
   - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
   - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
 2. Download and read the corresponding walkthrough document provided with your selected scenario.
 3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
 4. Run the simulation file or script on the test device as instructed in the walkthrough document.
 > [!NOTE]
 > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
 > 
 > 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
 ## Related topics
 - [Onboard devices](onboard-configure.md)
 - [Onboard Windows 10 devices](configure-endpoints.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@ -1,137 +0,0 @@
 ---
 title: Attack surface reduction frequently asked questions (FAQ)
 description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
 keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, microsoft defender for endpoint
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: m365-security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: ITPro
 author: martyav
 ms.author: v-maave
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
 ms.technology: mde
 ---
 # Attack surface reduction frequently asked questions (FAQ)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 ## Is attack surface reduction (ASR) part of Windows?
 ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
 ## Do I need to have an enterprise license to run ASR rules?
 The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available.
 To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
 ## Is ASR supported if I have an E3 license?
 Yes. ASR is supported for Windows Enterprise E3 and above. 
 ## Which features are supported with an E5 license?
 All of the rules supported with E3 are also supported with E5.
 E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide&preserve-view=true#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
 ## What are the currently supported ASR rules?
 ASR currently supports all of the rules below:
 * [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
 * [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
 * [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
 * [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
 * [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
 * [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
 * [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
 * [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
 * [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
 * [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
 * [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
 * [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
 * [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
 * [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
 * [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
 ## What are some good recommendations for getting started with ASR?
 Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
 Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
 ## How long should I test an ASR rule in audit mode before enabling it?
 Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
 ## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
 In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. 
 The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
 From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
 ## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
 Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
 ## Do ASR rules cover all applications by default?
 It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
 ## Does ASR support third-party security solutions?
 ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
 ## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline?
 Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint.
 ## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
 Try opening the indexing options directly from Windows 10.
 1. Select the **Search** icon on the Windows taskbar.
 1. Enter **Indexing options** into the search box.
 ## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
 No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
 ## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
 This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
 Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
 ## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
 A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
 Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
 ## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
 Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
 ## See also
 * [Attack surface reduction overview](attack-surface-reduction.md)
 * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
 * [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
 * [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 * [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@ -1,468 +0,0 @@
 ---
 title: Use attack surface reduction rules to prevent malware infection
 description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
 keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint, Microsoft Defender ATP
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
 ms.reviewer: sugamar, jcedola
 manager: dansimp
 ms.custom: asr
 ms.technology: mde
 ---
 # Use attack surface reduction rules to prevent malware infection
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 ## Why attack surface reduction rules are important
 Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
 Attack surface reduction rules target certain software behaviors, such as:
 - Launching executable files and scripts that attempt to download or run files;
 - Running obfuscated or otherwise suspicious scripts; and 
 - Performing behaviors that apps don't usually initiate during normal day-to-day work.
 Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
 For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 ## Assess rule impact before deployment  
 You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). 
 :::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
 In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
 ## Audit mode for evaluation
 Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
 ## Warn mode for users
 (**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
 Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. 
 ### Requirements for warn mode to work
 Warn mode is supported on devices running the following versions of Windows:
 - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
 Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
 In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
 - Minimum platform release requirement: `4.18.2008.9`  
 - Minimum engine release requirement: `1.1.17400.5`
 For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
 ### Cases where warn mode is not supported
 Warn mode is not supported for the following attack surface reduction rules:
 - [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)
 - [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)
 - [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
 In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
 ## Notifications and alerts
 Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
 In addition, when certain attack surface reduction rules are triggered, alerts are generated. 
 Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
 ## Advanced hunting and attack surface reduction events
 You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
 For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM. 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
 ## Attack surface reduction features across Windows versions
 You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
 - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
 ## Review attack surface reduction events in the Microsoft Defender Security Center
 Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.
 You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
 Here is an example query:
 ```kusto
 DeviceEvents
 | where ActionType startswith 'Asr'
 ```
 ## Review attack surface reduction events in Windows Event Viewer
 You can review the Windows event log to view events generated by attack surface reduction rules:
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
 3. Under **Actions**, select **Import custom view...**.
 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
 5. Select **OK**.
 You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
 |Event ID | Description |
 |:---|:---|
 |5007 | Event when settings are changed |
 |1121 | Event when rule fires in Block-mode |
 |1122 | Event when rule fires in Audit-mode |
 The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
 ## Attack surface reduction rules
 The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. 
 If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
 | Rule name | GUID | File & folder exclusions | Minimum OS supported |
 |:-----|:-----:|:-----|:-----|
 |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater  |
 |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
 |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 ### Block Adobe Reader from creating child processes
 This rule prevents attacks by blocking Adobe Reader from creating processes.
 Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
 This rule was introduced in: 
 - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 Intune name: `Process creation from Adobe Reader (beta)`
 Configuration Manager name: Not yet available
 GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
 ### Block all Office applications from creating child processes
 This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
 Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Office apps launching child processes`
 Configuration Manager name: `Block Office application from creating child processes`
 GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
 ### Block credential stealing from the Windows local security authority subsystem
 This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
 LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
 > [!NOTE]
 > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
 This rule was introduced in:
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Flag credential stealing from the Windows local security authority subsystem`
 Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
 GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
 ### Block executable content from email client and webmail
 This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
 - Executable files (such as .exe, .dll, or .scr)
 - Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
 Microsoft Endpoint Manager name: `Block executable content from email client and webmail`
 GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
 > [!NOTE]
 > The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use:
 > - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
 > - Endpoint Manager: Block executable content download from email and webmail clients.
 > - Group Policy: Block executable content from email client and webmail.
 ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
 This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
 - Executable files (such as .exe, .dll, or .scr)
 Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
 > [!IMPORTANT]
 > You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
 >
 >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
 This rule was introduced in: 
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
 Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
 GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
 ### Block execution of potentially obfuscated scripts
 This rule detects suspicious properties within an obfuscated script.
 Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
 This rule was introduced in:
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Obfuscated js/vbs/ps/macro code`
 Configuration Manager name: `Block execution of potentially obfuscated scripts`
 GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
 ### Block JavaScript or VBScript from launching downloaded executable content
 This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
 Although not common, line-of-business applications sometimes use scripts to download and launch installers.
 This rule was introduced in:  
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
 Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
 GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
 ### Block Office applications from creating executable content
 This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
 Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
 Intune name: `Office apps/macros creating executable content`
 SCCM name: `Block Office applications from creating executable content`
 GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
 ### Block Office applications from injecting code into other processes
 This rule blocks code injection attempts from Office apps into other processes.
 Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
 There are no known legitimate business purposes for using code injection.
 This rule applies to Word, Excel, and PowerPoint.
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Office apps injecting code into other processes (no exceptions)`
 Configuration Manager name: `Block Office applications from injecting code into other processes`
 GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
 ### Block Office communication application from creating child processes
 This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
 This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 > [!NOTE]
 > This rule applies to Outlook and Outlook.com only.
 This rule was introduced in: 
 - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 Intune name: `Process creation from Office communication products (beta)`
 Configuration Manager name: Not available
 GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
 ### Block persistence through WMI event subscription
 This rule prevents malware from abusing WMI to attain persistence on a device.
 > [!IMPORTANT]
 > File and folder exclusions don't apply to this attack surface reduction rule.
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 This rule was introduced in: 
 - [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
 - [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
 Intune name: Not available
 Configuration Manager name: Not available
 GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
 ### Block process creations originating from PSExec and WMI commands
 This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
 > [!WARNING]
 > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
 This rule was introduced in: 
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 Intune name: `Process creation from PSExec and WMI commands`
 Configuration Manager name: Not applicable
 GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
 ### Block untrusted and unsigned processes that run from USB
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
 This rule was introduced in: 
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Untrusted and unsigned processes that run from USB`
 Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
 GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
 ### Block Win32 API calls from Office macros
 This rule prevents VBA macros from calling Win32 APIs.
 Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
 This rule was introduced in:
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Win32 imports from Office macro code`
 Configuration Manager name: `Block Win32 API calls from Office macros`
 GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
 ### Use advanced protection against ransomware
 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
 > [!NOTE]
 > You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
 This rule was introduced in: 
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 Intune name: `Advanced ransomware protection`
 Configuration Manager name: `Use advanced protection against ransomware`
 GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
 ## See also
 - [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
 - [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@ -1,55 +0,0 @@
 ---
 title: Test how Microsoft Defender for Endpoint features work in audit mode
 description: Audit mode helps you see how Microsoft Defender for Endpoint would protect your devices if it was enabled.
 keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.reviewer: 
 manager: dansimp
 ms.technology: mde
 ---
 # Test how Microsoft Defender for Endpoint features work in audit mode
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
 You may want to enable audit mode when testing how the features will work in your organization. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.
 The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
 To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
 You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 **Audit options** | **How to enable audit mode** | **How to view events**
 |---------|---------|---------|
 | Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
 | Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
 | Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
 | Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
 ## Related topics
 * [Protect devices from exploits](exploit-protection.md)
 * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
 * [Protect your network](network-protection.md)
 * [Protect important folders](controlled-folders.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@ -1,89 +0,0 @@
 ---
 title: Visit the Action center to see remediation actions
 description: Use the action center to view details and results following an automated investigation
 keywords: action, center, autoir, automated, investigation, response, remediation
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
 - m365-security-compliance
 - m365initiative-defender-endpoint
 ms.topic: how-to
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.date: 01/28/2021
 ms.technology: mde
 ---
 # Visit the Action center to see remediation actions
 During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**. 
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 ## (NEW!) A unified Action center
 We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))!
 :::image type="content" source="images/mde-action-center-unified.png" alt-text="Action center in Microsoft 365 security center":::
 The following table compares the new, unified Action center to the previous Action center.
 |The new, unified Action center  |The previous Action center  |
 |---------|---------|
 |Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) plus [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) only)   |
 |Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)         |Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)     |
 | In the Microsoft 365 security center, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center"::: | In the Microsoft Defender Security Center, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center":::  |
 The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. 
 You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
 - [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md)
 - [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
 - [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) 
 > [!TIP]
 > To learn more, see [Requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites).
 ## Using the Action center
 To get to the unified Action center in the improved Microsoft 365 security center:
 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 2. In the navigation pane, select **Action center**. 
 When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab:
 |Tab  |Description  |
 |---------|---------|
 |**Pending**     | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**). <br/>**TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner. |
 |**History**     | Serves as an audit log for actions that were taken, such as: <br/>- Remediation actions that were taken as a result of automated investigations <br>- Remediation actions that were approved by your security operations team  <br/>- Commands that were run and remediation actions that were applied during Live Response sessions  <br/>- Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus  <p>Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)).       |
 You can customize, sort, filter, and export data in the Action center.
 :::image type="content" source="images/new-action-center-columnsfilters.png" alt-text="Columns and filters in the Action center":::
 - Select a column heading to sort items in ascending or descending order.
 - Use the time period filter to view data for the past day, week, 30 days, or 6 months.
 - Choose the columns that you want to view.
 - Specify how many items to include on each page of data.
 - Use filters to view just the items you want to see.
 - Select **Export** to export results to a .csv file. 
 ## Next steps
 - [View and approve remediation actions](manage-auto-investigation.md)
 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
 ## See also
 - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md
@ -1,94 +0,0 @@
 ---
 title: Details and results of an automated investigation
 description: During and after an automated investigation, you can view the results and key findings
 keywords: automated, investigation, results, analyze, details, remediation, autoair
 search.appverid: met150
 ms.prod: m365-security
 ms.technology: mde
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 f1.keywords: 
 - NOCSH
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
 - M365-security-compliance
 - m365initiative-m365-defender
 ms.topic: conceptual
 ms.custom: autoir
 ms.reviewer: evaldm, isco
 ms.date: 02/02/2021
 ---
 # Details and results of an automated investigation
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions. 
 ## (NEW!) Unified investigation page
 The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md)  and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp). 
 > [!TIP]
 > To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
 ## Open the investigation details view
 You can open the investigation details view by using one of the following methods:
 - [Select an item in the Action center](#select-an-item-in-the-action-center)
 - [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-details-page)
 ### Select an item in the Action center
 The improved [Action center](auto-investigation-action-center.md) brings together [remediation actions](manage-auto-investigation.md#remediation-actions) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.
 1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. 
 2. In the navigation pane, choose **Action center**. 
 3. On either the **Pending** or **History** tab, select an item. Its flyout pane opens.
 4. Review the information in the flyout pane, and then take one of the following steps:
   - Select **Open investigation page** to view more details about the investigation.
   - Select **Approve** to initiate a pending action.
   - Select **Reject** to prevent a pending action from being taken.
   - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
 ### Open an investigation from an incident details page
 Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
 1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. 
 2. In the navigation pane, choose **Incidents & alerts** > **Incidents**. 
 3. Select an item in the list, and then choose **Open incident page**.
 4. Select the **Investigations** tab, and then select an investigation in the list. Its flyout pane opens.
 5. Select **Open investigation page**. 
 ## Investigation details
 Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image:
 In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
 > [!NOTE]
 > The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
 | Tab | Description |
 |:--------|:--------|
 | **Investigation graph**	| Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.<br/>You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. |
 | **Alerts**	| Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
 | **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).) |
 | **Mailboxes** |Lists mailboxes that are impacted by detected threats.  |
 | **Users**  | Lists user accounts that are impacted by detected threats. |
 | **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. |
 | **Entities**	| Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).|
 |**Log**	| Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
 | **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
 ## See also
 - [Review remediation actions following an automated investigation](manage-auto-investigation.md)
 - [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@ -1,96 +0,0 @@
 ---
 title: Use automated investigations to investigate and remediate threats
 description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
 keywords: automated, investigation, detection, defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.technology: mde
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
 ms.date: 02/02/2021
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
 - m365-security-compliance
 - m365initiative-defender-endpoint
 ms.topic: how-to
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.custom: AIR
 ---
 # Overview of automated investigations
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Want to see how it works? Watch the following video: <br/><br/>
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
 The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed.
 This article provides an overview of AIR and includes links to next steps and additional resources.
 > [!TIP]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
 ## How the automated investigation starts
 An automated investigation can start when an alert is triggered or when a security operator initiates the investigation.
 |Situation  |What happens  |
 |---------|---------|
 |An alert is triggered     | In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation.         |
 |An investigation is started manually     | An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**. |
 ## How an automated investigation expands its scope
 While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
 If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
 ## How threats are remediated
 As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be 
 - *Malicious*;
 - *Suspicious*; or 
 - *No threats found*. 
 As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions).  
 Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). 
 All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). If necessary, your security operations team can undo a remediation action. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
 > [!TIP]
 > Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results.md#new-unified-investigation-page).
 ## Requirements for AIR
 Your organization must have Defender for Endpoint (see [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)).
 Currently, AIR only supports the following OS versions:
 - Windows Server 2019
 - Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
 - Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 - Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
 ## Next steps
 - [Learn more about automation levels](automation-levels.md)
 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
 - [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
 ## See also
 - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
 - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
 - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@ -1,65 +0,0 @@
 ---
 title: Automation levels in automated investigation and remediation
 description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
 keywords: automated, investigation, level, defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.technology: mde
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
 ms.date: 10/22/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: conceptual
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.custom: AIR
 ---
 # Automation levels in automated investigation and remediation capabilities
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.  
 - *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
 - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)
 - All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
 > [!TIP]
 > For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
 ## Levels of automation
 The following table describes each level of automation and how it works.
 |Automation level | Description|
 |:---|:---|
 |**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*  |
 |**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
 |**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*)  | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
 |**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.   |
 |**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |
 ## Important points about automation levels
 - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
 - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
 - If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. 
 - You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 ## Next steps
 - [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
 - [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@ -1,88 +0,0 @@
 ---
 title: Use basic permissions to access Microsoft Defender Security Center
 description: Learn how to use basic permissions to access the Microsoft Defender for Endpoint portal.
 keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Use basic permissions to access the portal
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - Azure Active Directory
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
 Refer to the instructions below to use basic permissions management.
 You can use either of the following solutions:
 - Azure PowerShell
 - Azure portal
 For granular control over permissions, [switch to role-based access control](rbac.md).
 ## Assign user access using Azure PowerShell
 You can assign users with one of the following levels of permissions:
 - Full access (Read and Write)
 - Read-only access
 ### Before you begin
 - Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
    > [!NOTE]
    > You need to run the PowerShell cmdlets in an elevated command-line.
 - Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0&preserve-view=true).
 **Full access** <br>
 Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
 Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
 **Read-only access** <br>
 Users with read-only access can log in, view all alerts, and related information.
 They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
 Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role.
 Use the following steps to assign security roles:
 - For **read and write** access, assign users to the security administrator role by using the following command:
  ```PowerShell
  Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
  ```
 - For **read-only** access, assign users to the security reader role by using the following command:
  ```PowerShell
  Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
  ```
 For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
 ## Assign user access using the Azure portal
 For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
 ## Related topic
 - [Manage portal access using RBAC](rbac.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
@ -1,109 +0,0 @@
 ---
 title: Batch Update alert entities API
 description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties.
 keywords: apis, graph api, supported apis, get, alert, information, id
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Batch update alerts
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:** 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## API description
 Updates properties of a batch of existing [Alerts](alerts.md).
 <br>Submission of **comment** is available with or without updating properties.
 <br>Updatable properties are: `status`, `determination`, `classification` and `assignedTo`.
 ## Limitations
 1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information.
 2. Rate limitations for this API are 10 calls per minute and 500 calls per hour.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 >[!Note]
 > When obtaining a token using user credentials:
 >- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
 >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 ## HTTP request
 ```http
 POST /api/alerts/batchUpdate
 ```
 ## Request headers
 Name | Type | Description
 :---|:---|:---
 Authorization | String | Bearer {token}. **Required**.
 Content-Type | String | application/json. **Required**.
 ## Request body
 In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts.
 <br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. 
 <br>For best performance you shouldn't include existing values that haven't changed.
 Property | Type | Description
 :---|:---|:---
 alertIds | List&lt;String&gt;| A list of the IDs of the alerts to be updated. **Required**
 status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'.
 assignedTo | String | Owner of the specified alerts
 classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
 determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
 comment | String | Comment to be added to the specified alerts.
 ## Response
 If successful, this method returns 200 OK, with an empty response body.
 ## Example
 **Request**
 Here is an example of the request.
 ```http
 POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate
 ```
 ```json
 {
    "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"],
    "status": "Resolved",
    "assignedTo": "secop2@contoso.com",
    "classification": "FalsePositive",
    "determination": "Malware",
    "comment": "Resolve my alert and assign to secop2"
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@ -1,126 +0,0 @@
 ---
 title: Behavioral blocking and containment
 description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP
 keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 author: denisebmsft
 ms.author: deniseb
 manager: dansimp
 ms.reviewer: shwetaj
 audience: ITPro
 ms.topic: article
 ms.prod: m365-security
 ms.localizationpriority: medium
 ms.custom: 
  - next-gen
  - edr
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.technology: mde
 ---
 # Behavioral blocking and containment
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 ## Overview
 Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](https://docs.microsoft.com/windows/security). 
 Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. 
 :::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
 Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing.
 - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
 - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
 - [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. 
 With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. 
 The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
 :::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment":::
 ## Components of behavioral blocking and containment
 - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
 - **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) 
 - **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) 
 - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.) 
 Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
 ## Examples of behavioral blocking and containment in action
 Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
 - Credential dumping from LSASS
 - Cross-process injection
 - Process hollowing
 - User Account Control bypass
 - Tampering with antivirus (such as disabling it or adding the malware as exclusion)
 - Contacting Command and Control (C&C) to download payloads
 - Coin mining
 - Boot record modification
 - Pass-the-hash attacks
 - Installation of root certificate
 - Exploitation attempt for various vulnerabilities
 Below are two real-life examples of behavioral blocking and containment in action.
 ### Example 1: Credential theft attack against 100 organizations
 As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. 
 Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker’s techniques at two points in the attack chain:
 - The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
 - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). 
 While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
 :::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
 This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
 ### Example 2: NTLM relay - Juicy Potato malware variant
 As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
 :::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
 The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. 
 Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
 :::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
 A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device. 
 This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically. 
 ## Next steps
 - [Learn more about Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
 - [Configure your attack surface reduction rules](attack-surface-reduction.md)
 - [Enable EDR in block mode](edr-in-block-mode.md)
 - [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
 - [Get an overview of Microsoft 365 Defender ](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@ -1,59 +0,0 @@
 ---
 title: Check the health state of the sensor in Microsoft Defender ATP
 description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data.
 keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 04/24/2018
 ms.technology: mde
 ---
 # Check sensor health state in Microsoft Defender for Endpoint
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
 The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
 There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:
 - **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected.
 - **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month.
 Clicking any of the groups directs you to **Devices list**, filtered according to your choice.
 ![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png)
 On **Devices list**, you can filter the health state list by the following status:
 - **Active** - Devices that are actively reporting to the Defender for Endpoint service.
 - **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
  - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
  - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
 - **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service.
 You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
 >[!NOTE]
 >Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
 ![Screenshot of Devices list page](images/atp-devices-list-page.png)
 You can view the device details when you click on a misconfigured or inactive device.
 ## Related topic
 - [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@ -1,97 +0,0 @@
 ---
 title: Client behavioral blocking
 description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
 keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 author: denisebmsft
 ms.author: deniseb
 manager: dansimp
 ms.reviewer: shwetaj
 audience: ITPro
 ms.topic: article
 ms.prod: m365-security
 ms.localizationpriority: medium
 ms.custom: 
  - next-gen
  - edr
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.technology: mde
 ---
 # Client behavioral blocking
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 ## Overview
 Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. 
 :::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
 Antivirus protection works best when paired with cloud protection.
 ## How client behavioral blocking works
 [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. 
 Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
 Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
 ## Behavior-based detections
 Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
 |Tactic |	Detection threat name |
 |----|----|
 |Initial Access	| Behavior:Win32/InitialAccess.*!ml |
 |Execution	| Behavior:Win32/Execution.*!ml |
 |Persistence	| Behavior:Win32/Persistence.*!ml |
 |Privilege Escalation	| Behavior:Win32/PrivilegeEscalation.*!ml |
 |Defense Evasion	| Behavior:Win32/DefenseEvasion.*!ml |
 |Credential Access	| Behavior:Win32/CredentialAccess.*!ml |
 |Discovery	| Behavior:Win32/Discovery.*!ml |
 |Lateral Movement |	Behavior:Win32/LateralMovement.*!ml |
 |Collection |	Behavior:Win32/Collection.*!ml |
 |Command and Control | Behavior:Win32/CommandAndControl.*!ml |
 |Exfiltration	| Behavior:Win32/Exfiltration.*!ml |
 |Impact	| Behavior:Win32/Impact.*!ml |
 |Uncategorized	| Behavior:Win32/Generic.*!ml |
 > [!TIP]
 > To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
 ## Configuring client behavioral blocking
 If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured:
 - [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
 - [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
 - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
 - [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
 - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
 ## Related articles
 - [Behavioral blocking and containment](behavioral-blocking-containment.md)
 - [Feedback-loop blocking](feedback-loop-blocking.md)
 - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
 - [Helpful Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@ -1,92 +0,0 @@
 ---
 title: Collect investigation package API
 description: Use this API to create calls related to the collecting an investigation package from a device.
 keywords: apis, graph api, supported apis, collect investigation package
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Collect investigation package API
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## API description
 Collect investigation package from a device.
 ## Limitations
 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Machine.CollectForensics |	'Collect forensics'
 Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
 >[!Note]
 > When obtaining a token using user credentials:
 >- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
 >- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 ## HTTP request
 ```
 POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage
 ```
 ## Request headers
 Name | Type | Description
 :---|:---|:---
 Authorization | String | Bearer {token}. **Required**.
 Content-Type | string | application/json. **Required**.
 ## Request body
 In the request body, supply a JSON object with the following parameters:
 Parameter |	Type	| Description
 :---|:---|:---
 Comment |	String |	Comment to associate with the action. **Required**.
 ## Response
 If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
 ## Example
 **Request**
 Here is an example of the request.
 ```http
 POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
 ```
 ```json
 {
  "Comment": "Collect forensics due to alert 1234"
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@ -1,93 +0,0 @@
 ---
 title: Common Microsoft Defender ATP API errors
 description: List of common Microsoft Defender ATP API errors with descriptions.
 keywords: apis, mdatp api, errors, troubleshooting
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Common REST API error codes
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 * The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs.
 * In addition to the error code, every error response contains an error message, which can help resolve the problem.
 * The message is a free text that can be changed.
 * At the bottom of the page, you can find response examples.
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 Error code |HTTP status code |Message 
 :---|:---|:---
 BadRequest | BadRequest (400) | General Bad Request error message.
 ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
 InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
 InvalidRequestBody | BadRequest (400) | Invalid request body.
 InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
 InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
 InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
 InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
 MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
 MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
 OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
 ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
 Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header).
 Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
 DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
 DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
 NotFound | Not Found (404) | General Not Found error message.
 ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
 InternalServerError | Internal Server Error (500) | (No error message, retry the operation)
 TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU.
 ## Body parameters are case-sensitive
 The submitted body parameters are currently case-sensitive.
 <br>If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
 <br>Review the API documentation page and check that the submitted parameters match the relevant example.
 ## Correlation request ID
 Each error response contains a unique ID parameter for tracking.
 <br>The property name of this parameter is "target".
 <br>When contacting us about an error, attaching this ID will help find the root cause of the problem.
 ## Examples
 ```json
 {
    "error": {
        "code": "ResourceNotFound",
        "message": "Machine 123123123 was not found",
        "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
    }
 }
 ```
 ```json
 {
    "error": {
        "code": "InvalidRequestBody",
        "message": "Request body is incorrect",
        "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
    }
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/community.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/community.md
@ -1,48 +0,0 @@
 ---
 title: Access the Microsoft Defender for Endpoint Community Center
 description: Access the Microsoft Defender ATP Community Center to share experiences, engage, and learn about the product.
 keywords: community, community center, tech community, conversation, announcements
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/24/2018
 ms.technology: mde
 ---
 # Access the Microsoft Defender for Endpoint Community Center
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. 
 There are several spaces you can explore to learn about specific information:
 - Announcements 
 - What's new
 - Threat Intelligence
 There are several ways you can access the Community Center:
 - In the Microsoft Defender Security Center navigation pane, select **Community center**.  A new browser tab opens and takes you to the Defender for Endpoint Tech Community page. 
 - Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
 You can instantly view and read conversations that have been posted in the community. 
 To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@ -1,80 +0,0 @@
 ---
 title: Enable Conditional Access to better protect users, devices, and data
 description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
 keywords: conditional access, block applications, security level, intune,
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Enable Conditional Access to better protect users, devices, and data 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
 Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1]
 With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
 You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. 
 The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. 
 The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. 
 ## Understand the Conditional Access flow
 Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. 
 The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. 
 Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
 For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
 In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
 A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. 
 To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it. 
 There are three ways to address a risk:
 1. Use Manual or automated remediation.
 2. Resolve active alerts on the device. This will remove the risk from the device.
 3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device. 
 Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
 When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
 The following example sequence of events explains Conditional Access in action:
 1. A user opens a malicious file and Defender for Endpoint flags the device as high risk.
 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
 3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications.
 4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
 5. Users can now access applications.
 ## Related topic
 - [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@ -1,208 +0,0 @@
 ---
 title: Configure Micro Focus ArcSight to pull Microsoft Defender for Endpoint detections
 description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
 keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure Micro Focus ArcSight to pull Defender for Endpoint detections
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) 
 You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections.
 >[!Note]
 >- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections
 >- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
 ## Before you begin
 Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
 This section guides you in getting the necessary information to set and use the required configuration files correctly.
 - Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
 - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
  - OAuth 2.0 Token refresh URL
  - OAuth 2.0 Client ID
  - OAuth 2.0 Client secret
 - Have the following configuration files ready:
  - WDATP-connector.properties
  - WDATP-connector.jsonparser.properties
    You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
 - Make sure you generate the following tokens and have them ready:
  - Access token
  - Refresh token
  You can generate these tokens from the **SIEM integration** setup section of the portal.
 ## Install and configure Micro Focus ArcSight FlexConnector
 The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
 2. Follow the installation wizard through the following tasks:
   - Introduction
   - Choose Install Folder
   - Choose Install Set
   - Choose Shortcut Folder
   - Pre-Installation Summary
   - Installing...
   You can keep the default values for each of these tasks or modify the selection to suit your requirements.
 3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
   - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
   - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
   > [!NOTE]
   > 
   > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
 5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
 6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
   <table>
    <tbody style="vertical-align:top;">
    <tr>
    <th>Field</th>
    <th>Value</th>
    </tr>
    <tr>
    <td>Configuration File</td>
    <td>Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
    For example, if the configuration file in &quot;flexagent&quot; directory is named &quot;WDATP-Connector.jsonparser.properties&quot;, you must type &quot;WDATP-Connector&quot; as the name of the client property file.</td>
    </tr>
    <td>Events URL</td>
    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> <b>For EU</b>:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br>
   </br><b>For US:</b> https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br> <br> <b>For UK</b>:  https://<i></i>wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
    <tr>
    <td>Authentication Type</td>
    <td>OAuth 2</td>
    </tr>
    <td>OAuth 2 Client Properties file</td>
    <td>Browse to the location of the <em>wdatp-connector.properties</em> file. The name must match the file provided in the .zip that you downloaded.</td>
    <tr>
    <td>Refresh Token</td>
    <td>You can obtain a refresh token in two ways: by generating a refresh token from the <b>SIEM settings</b> page or using the restutil tool. <br><br> For more information on generating a refresh token from the <b>Preferences setup</b> , see <a href="enable-siem-integration.md" data-raw-source="[Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)">Enable SIEM integration in Defender for Endpoint</a>. </br> </br><b>Get your refresh token using the restutil tool:</b> </br> a. Open a command prompt. Navigate to C:\<em>folder_location</em>\current\bin where <em>folder_location</em> represents the location where you installed the tool. </br></br> b. Type: <code>arcsight restutil token -config</code> from the bin directory.For example: <b>arcsight restutil boxtoken -proxy proxy.location.hp.com:8080</b> A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the <b>Refresh Token</b> field.
    </td>
    </tr>
    </tr>
    </table><br/>
 7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
   If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
   If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
 8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
 9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
 10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
 11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
 12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
 13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
 14. Select **Install as a service** and click **Next**.
 15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
 16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
 17. Finish the installation by selecting **Exit** and **Next**.
 ## Install and configure the Micro Focus ArcSight console
 1. Follow the installation wizard through the following tasks:
   - Introduction
   - License Agreement
   - Special Notice
   - Choose ArcSight installation directory
   - Choose Shortcut Folder
   - Pre-Installation Summary
 2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
 3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
 4. Select **Use direct connection**, then click **Next**.
 5. Select **Password Based Authentication**, then click **Next**.
 6. Select **This is a single user installation. (Recommended)**, then click **Next**.
 7. Click **Done** to quit the installer.
 8. Login to the Micro Focus ArcSight console.
 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
 You can now run queries in the Micro Focus ArcSight console.
 Defender for Endpoint detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
 ## Troubleshooting Micro Focus ArcSight connection
 **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
 **Symptom:** You get the following error message:
 `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
 **Solution:**
 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
   `reauthenticate=true`.
 3. Restart the connector by running the following command: `arcsight.bat connectors`.
   A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
 > [!NOTE]
 > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
 ## Related topics
 - [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
 - [Configure Splunk to pull Defender for Endpoint detections](configure-splunk.md)
 - [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@ -1,46 +0,0 @@
 ---
 title: Configure attack surface reduction
 description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and Group Policy to configure attack surface reduction.
 keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Configure attack surface reduction
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 You can configure attack surface reduction with many tools, including:
 * Microsoft Intune
 * Microsoft Endpoint Configuration Manager
 * Group Policy
 * PowerShell cmdlets
 Article | Description
 -|-
 [Enable hardware-based isolation for Microsoft Edge](../microsoft-defender-application-guard/install-md-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
 [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
 [Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
 [Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains
 [Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
 [Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware
 [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@ -1,64 +0,0 @@
 ---
 title: Configure automated investigation and remediation capabilities
 description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
 keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.technology: mde
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: how-to
 ms.date: 01/27/2021
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ---
 # Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). 
 To configure automated investigation and remediation,
 1. [Turn on the features](#turn-on-automated-investigation-and-remediation); and 
 2. [Set up device groups](#set-up-device-groups).
 ## Turn on automated investigation and remediation
 1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
 2. In the navigation pane, choose **Settings**.
 3. In the **General** section, select **Advanced features**.
 4. Turn on both **Automated Investigation** and **Automatically resolve alerts**.
 ## Set up device groups
 1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
 2. Select **+ Add device group**.
 3. Create at least one device group, as follows:
   - Specify a name and description for the device group.
   - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [Automation levels in automated investigation and remediation](automation-levels.md).
   - In the **Members** section, use one or more conditions to identify and include devices.
   - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating.
 4. Select **Done** when you're finished setting up your device group.
 ## Next steps
 - [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
 - [Review and approve pending actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation)
 ## See also
 - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@ -1,114 +0,0 @@
 ---
 title: Configure Conditional Access in Microsoft Defender ATP
 description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
 keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure Conditional Access in Microsoft Defender for Endpoint
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 This section guides you through all the steps you need to take to properly implement Conditional Access.
 ### Before you begin
 >[!WARNING]
 >It's important to note that Azure AD registered devices is not supported in this scenario.</br>
 >Only Intune enrolled devices are supported.
 You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
 - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
 - End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
 - End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
 There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
 It's important to note the required roles to access these portals and implement Conditional access:
 - **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
 - **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions. 
 - **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
 > [!NOTE]
 > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
 Take the following steps to enable Conditional Access:
 - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
 - Step 2: Turn on the Defender for Endpoint integration in Intune
 - Step 3: Create the compliance policy in Intune
 - Step 4: Assign the policy 
 - Step 5: Create an Azure AD Conditional Access policy
 ### Step 1: Turn on the Microsoft Intune connection
 1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
 2. Toggle the Microsoft Intune setting to **On**.
 3. Click **Save preferences**.
 ### Step 2: Turn on the Defender for Endpoint integration in Intune
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. Select **Device compliance** > **Microsoft Defender ATP**.
 3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**.
 4. Click **Save**.
 ### Step 3: Create the compliance policy in Intune
 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
 2. Select **Device compliance** > **Policies** > **Create policy**.
 3. Enter a **Name** and **Description**.
 4. In **Platform**, select **Windows 10 and later**.
 5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
   - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
   - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
   - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
   - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
 6. Select **OK**, and **Create** to save your changes (and create the policy).
 ### Step 4: Assign the policy
 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
 2. Select **Device compliance** > **Policies**> select your Microsoft Defender ATP compliance policy.
 3. Select **Assignments**.
 4. Include or exclude your Azure AD groups to assign them the policy.
 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
 ### Step 5: Create an Azure AD Conditional Access policy
 1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
 2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
 4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
 5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
 6. Select **Enable policy**, and then **Create** to save your changes.
 For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@ -1,101 +0,0 @@
 ---
 title: Configure alert notifications in Microsoft Defender for Endpoint
 description: You can use Microsoft Defender for Endpoint to configure email notification settings for security alerts, based on severity and other criteria.
 keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure alert notifications in Microsoft Defender ATP
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
 You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
 > [!NOTE]
 > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
 You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md).
 If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
 Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope.
 Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
 The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
 ## Create rules for alert notifications
 You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
 1. In the navigation pane, select **Settings** > **Alert notifications**.
 2. Click **Add notification rule**.
 3. Specify the General information:
    - **Rule name** - Specify a name for the notification rule.
    - **Include organization name** - Specify the customer name that appears on the email notification.
    - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
    - **Include device information** - Includes the device name in the email alert body.
        >[!NOTE]
        > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data.
    - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md).
    - **Alert severity** - Choose the alert severity level.
 4. Click **Next**.
 5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses.
 6. Check that email recipients are able to receive the email notifications by selecting **Send test email**.
 7. Click **Save notification rule**.
 ## Edit a notification rule
 1. Select the notification rule you'd like to edit.
 2. Update the General and Recipient tab information.
 3. Click **Save notification rule**.
 ## Delete notification rule
 1. Select the notification rule you'd like to delete.
 2. Click **Delete**.
 ## Troubleshoot email notifications for alerts
 This section lists various issues that you may encounter when using email notifications for alerts.
 **Problem:** Intended recipients report they are not getting the notifications.
 **Solution:** Make sure that the notifications are not blocked by email filters:
 1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
 2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
 3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
 ## Related topics
 - [Update data retention settings](data-retention-settings.md)
 - [Configure advanced features](advanced-features.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@ -1,246 +0,0 @@
 ---
 title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
 description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
 keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender for Endpoint devices, group policy
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 04/24/2018
 ms.technology: mde
 ---
 # Onboard Windows 10 devices using Group Policy 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - Group Policy
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
 > [!NOTE]
 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
 > 
 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
 ## Onboard devices using Group Policy
 [![Image of the PDF showing the various deployment paths](images/onboard-gp.png)](images/onboard-gp.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. 
 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Onboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **Group policy**.
    1. Click **Download package** and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
 3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
 5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
 6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
 8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
 9. Click **OK** and close any open GPMC windows.
 >[!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
 ## Additional Defender for Endpoint configuration settings
 For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
 You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
 ### Configure sample collection settings
 1.  On your GP management device, copy the following files from the
    configuration package:
    - Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
    - Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
    If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the
    configuration package:
    - Copy _AtpConfiguration.admx_ into _\\\\\<forest.root\>\\SysVol\\\<forest.root\>\\Policies\\PolicyDefinitions_
    - Copy _AtpConfiguration.adml_ into _\\\\\<forest.root\>\\SysVol\\\<forest.root\>\\Policies\\PolicyDefinitions\\en-US_
 2.  Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**.
 3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
 4.  Click **Policies**, then **Administrative templates**.
 5.  Click **Windows components** and then **Windows Defender ATP**.
 6.  Choose to enable or disable sample sharing from your devices.
 >[!NOTE]
 > If you don't set a value, the default value is to enable sample collection.
 ## Other recommended configuration settings
 ### Update endpoint protection configuration
 After configuring the onboarding script, continue editing the same group policy to add endpoint protection configurations. Perform group policy edits from a system running Windows 10 or Server 2019 to ensure you have all of the required Microsoft Defender Antivirus capabilities. You may need to close and reopen the group policy object to register the Defender ATP configuration settings.
 All policies are located under `Computer Configuration\Policies\Administrative Templates`.
 **Policy location:** \Windows Components\Windows Defender ATP
 Policy | Setting 
 :---|:---
 Enable\Disable Sample collection|	Enabled - "Enable sample collection on machines" checked
 <br/>
 **Policy location:**  \Windows Components\Windows Defender Antivirus
 Policy | Setting 
 :---|:---
 Configure detection for potentially unwanted applications | Enabled, Block
 <br/>
 **Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
 Policy | Setting 
 :---|:---
 Join Microsoft MAPS | Enabled, Advanced MAPS
 Send file samples when further analysis is required | Enabled, Send safe samples
 <br/>
 **Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
 Policy | Setting 
 :---|:---
 Turn off real-time protection|Disabled
 Turn on behavior monitoring|Enabled
 Scan all downloaded files and attachments|Enabled
 Monitor file and program activity on your computer|Enabled
 <br/>
 **Policy location:**  \Windows Components\Windows Defender Antivirus\Scan
 These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
 Policy | Setting 
 :---|:---
 Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled
 <br/>
 **Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
 Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
 1. Open the **Configure Attack Surface Reduction** policy.
 1. Select **Enabled**.
 1. Select the **Show** button.
 1. Add each GUID in the **Value Name** field with a Value of 2.
   This will set each up for audit only.
   ![Image of attack surface reduction configuration](images/asr-guid.png)
 Policy | Setting 
 :---|:---
 Configure Controlled folder access|	Enabled, Audit Mode
 ## Offboard devices using Group Policy
 For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Offboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **Group policy**.
    1. Click **Download package** and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
 5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
 6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
 8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared  *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
 9. Click **OK** and close any open GPMC windows.
 > [!IMPORTANT]
 > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
 ## Monitor device configuration
 With Group Policy there isn’t an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.
 ## Monitor devices using the portal
 1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
 2. Click **Devices list**.
 3. Verify that devices are appearing.
 > [!NOTE]
 > It can take several days for devices to start showing on the **Devices list**. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
 ## Related topics
 - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
 - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
 - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
 - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
 - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@ -1,101 +0,0 @@
 ---
 title: Onboard Windows 10 devices using Mobile Device Management tools
 description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
 keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender for Endpoint devices, mdm
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Onboard Windows 10 devices using Mobile Device Management tools
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
 You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices.
 For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 ## Before you begin
 If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. 
 For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
 ## Onboard devices using Microsoft Intune
 [![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. 
 Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
 For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 > [!NOTE]
 > - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated.
 > - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.
 >[!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 ## Offboard and monitor devices using Mobile Device Management tools
 For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
   1. In the navigation pane, select **Settings** > **Offboarding**.
   1. Select Windows 10 as the operating system.
   1. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
   1. Click **Download package**, and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
      OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding<br/>
      Date type: String<br/>
      Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
 For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 > [!NOTE]
 > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
 > [!IMPORTANT]
 > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
 ## Related topics
 - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
 - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
 - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
 - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
 - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@ -1,75 +0,0 @@
 ---
 title: Onboard non-Windows devices to the Microsoft Defender for Endpoint service
 description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service.
 keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Onboard non-Windows devices
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platforms**
 - macOS
 - Linux
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) 
 Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. 
 You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see:
 - [Microsoft Defender for Endpoint for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements)  
 - [Microsoft Defender for Endpoint for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements).
 ## Onboarding non-Windows devices
 You'll need to take the following steps to onboard non-Windows devices:
 1. Select your preferred method of onboarding:
   - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
   - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.   
     1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
        2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices.
        3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
        4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. 
 2. Run a detection test by following the instructions of the third-party solution.
 ## Offboard non-Windows devices
 1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint.
 2. Remove permissions for the third-party solution in your Azure AD tenant.
   1. Sign in to the [Azure portal](https://portal.azure.com).
   2. Select **Azure Active Directory > Enterprise Applications**.
   3. Select the application you'd like to offboard.
   4. Select the **Delete** button.
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Onboard servers](configure-server-endpoints.md)
 - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
 - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@ -1,242 +0,0 @@
 ---
 title: Onboard Windows 10 devices using Configuration Manager
 description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
 keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 02/07/2020
 ms.technology: mde
 ---
 # Onboard Windows 10 devices using Configuration Manager
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 - Microsoft Endpoint Configuration Manager current branch
 - System Center 2012 R2 Configuration Manager
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
 ## Supported client operating systems
 Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
 #### Configuration Manager version 1910 and prior
 - Clients computers running Windows 10 
 #### Configuration Manager version 2002 and later
 Starting in Configuration Manager version 2002, you can onboard the following operating systems:
 - Windows 8.1
 - Windows 10
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server 2016, version 1803 or later
 - Windows Server 2019
 >[!NOTE]
 >For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md).
 ### Onboard devices using System Center Configuration Manager
 [![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. 
 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Onboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
    1. Select **Download package**, and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
    a. Choose a predefined device collection to deploy the package to.
 > [!NOTE]
 > Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
 >[!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
 >
 > Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program.
 > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
 > 
 > This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
 > This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".
 For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
 ### Configure sample collection settings
 For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
 >[!NOTE]
 >These configuration settings are typically done through Configuration Manager. 
 You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
 This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint.
 The configuration is set through the following registry key entry:
 ```console
 Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
 Name: "AllowSampleCollection"
 Value: 0 or 1
 ```
 Where:<br>
 Key type is a D-WORD. <br>
 Possible values are:
 - 0 - doesn't allow sample sharing  from this device
 - 1 - allows sharing of all file types from this device
 The default value in case the registry key doesn’t exist is 1.
 For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
 ## Other recommended configuration settings
 After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
 ### Device collection configuration
 If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
 ### Next generation protection configuration
 The following configuration settings are recommended:
 **Scan** <br>
 - Scan removable storage devices such as USB drives: Yes
 **Real-time Protection** <br>
 - Enable Behavioral Monitoring: Yes
 - Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
 **Cloud Protection Service**
 - Cloud Protection Service membership type: Advanced membership
 **Attack surface reduction**
 Configure all available rules to Audit.
 >[!NOTE]
 > Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
 **Network protection** <br>
 Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
 **Controlled folder access**<br>
 Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
 For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
 ## Offboard devices using Configuration Manager
 For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 ### Offboard devices using Microsoft Endpoint Manager current branch
 If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
 ### Offboard devices using System Center 2012 R2 Configuration Manager
 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** >  **Offboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
    1. Select **Download package**, and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
    a. Choose a predefined device collection to deploy the package to.
 > [!IMPORTANT]
 > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
 ## Monitor device configuration
 If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
 If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
 2. Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service).
 ### Confirm the configuration package has been correctly deployed
 1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
 2. Select **Overview** and then **Deployments**.
 3. Select on the deployment with the package name.
 4. Review the status indicators under **Completion Statistics** and **Content Status**.
    If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md).
    ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png)
 ### Check that the devices are compliant with the Microsoft Defender ATP service
 You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
 This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices.
 Monitor the following registry key entry:
 ```console
 Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"
 Name: "OnboardingState"
 Value: "1"
 ```
 For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
 ## Related topics
 - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
 - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
 - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
 - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
 - [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@ -1,150 +0,0 @@
 ---
 title: Onboard Windows 10 devices using a local script
 description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
 keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Onboard Windows 10 devices using a local script
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
 You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
 > [!IMPORTANT]
 > This script has been optimized for use on up to 10 devices.
 >
 > To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
 ## Onboard devices 
 [![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. 
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Onboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **Local Script**.
    1. Click **Download package** and save the .zip file.
 2.  Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 3.  Open an elevated command-line prompt on the device and run the script:
    1.  Go to **Start** and type **cmd**.
    1.  Right-click **Command prompt** and select **Run as administrator**.
        ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
 4.  Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
 5.  Press the **Enter** key or click **OK**.
 For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md).
 >[!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md).
 ## Configure sample collection settings
 For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
 You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.  
 The configuration is set through the following registry key entry:
 ```console
 Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
 Name: "AllowSampleCollection"
 Value: 0 or 1
 ```
 Where:<br>
 Name type is a D-WORD. <br>
 Possible values are:
 - 0 - doesn't allow sample sharing  from this device
 - 1 - allows sharing of all file types from this device
 The default value in case the registry key doesn’t exist is 1.
 ## Offboard devices using a local script
 For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Offboarding**.
    1. Select Windows 10 as the operating system.
    1. In the **Deployment method** field, select **Local Script**.
    1. Click **Download package** and save the .zip file.
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 3.  Open an elevated command-line prompt on the device and run the script:
    1.  Go to **Start** and type **cmd**.
    1.  Right-click **Command prompt** and select **Run as administrator**.
        ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
 4.  Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
 5.  Press the **Enter** key or click **OK**.
 > [!IMPORTANT]
 > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
 ## Monitor device configuration
 You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running.
 Monitoring can also be done directly on the portal, or by using the different deployment tools.
 ### Monitor devices using the portal
 1. Go to Microsoft Defender Security Center.
 2. Click **Devices list**.
 3. Verify that devices are appearing.
 ## Related topics
 - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
 - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
 - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
 - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
 - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@ -1,175 +0,0 @@
 ---
 title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
 description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
 keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender for Endpoint endpoints
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.date: 04/16/2020
 ms.technology: mde
 ---
 # Onboard non-persistent virtual desktop infrastructure (VDI) devices
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 - Virtual desktop infrastructure (VDI) devices
 - Windows 10, Windows Server 2019, Windows Server 2008R2/2012R2/2016
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
 ## Onboard non-persistent virtual desktop infrastructure (VDI) devices
 Defender for Endpoint supports non-persistent VDI session onboarding. 
 There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
 - Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
 - The device name is typically reused for new sessions.
 VDI devices can appear in Defender for Endpoint portal as either:
 - Single entry for each device.  
 Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
 - Multiple entries for each device - one for each session.
 The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
 >[!WARNING]
 > For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding. 
 ### For Windows 10 or Windows Server 2019
 1.  Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1.  In the navigation pane, select **Settings** > **Onboarding**.
    1. Select Windows 10 as the operating system.
    1.  In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
    1. Click **Download package** and save the .zip file.
 2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. 
    1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
    1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
    > [!NOTE]
    > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
 3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
   > [!NOTE]
   > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
 4. Depending on the method you'd like to implement, follow the appropriate steps: <br>
   **For single entry for each device**:<br>
   Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
   **For multiple entries for each device**:
   Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
 5. Test your solution:
   1. Create a pool with one device.
   1. Logon to device.
   1. Logoff from device.
   1. Logon to device with another user.
   1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
      **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
 6. Click **Devices list** on the Navigation pane.
 7. Use the search function by entering the device name and select **Device** as search type.
 ## For downlevel SKUs
 > [!NOTE]
 > The following registry is relevant only when the aim is to achieve a 'Single entry for each device'.
 1. Set registry value to:
    ```reg
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging]
    "VDI"="NonPersistent"
    ```
    or using command line:
    ```
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f
    ```
 2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). 
 ## Updating non-persistent virtual desktop infrastructure (VDI) images
 As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
 For example, you can use the below commands to install an update while the image remains offline:
 ```console
 DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" 
 DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
 DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
 ```
 For more information on DISM commands and offline servicing, please refer to the articles below:
 - [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
 - [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
 - [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
 If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
 1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
 2. Ensure the sensor is stopped by running the command below in a CMD window:
   ```console
   sc query sense
   ```
 3. Service the image as needed.
 4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
    ```console
    PsExec.exe -s cmd.exe
    cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
    del *.* /f /s /q
    REG DELETE “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
    exit
    ```
 5. Re-seal the golden/master image as you normally would.
 ## Related topics
 - [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
 - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
 - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
 - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@ -1,51 +0,0 @@
 ---
 title: Onboarding tools and methods for Windows 10 devices
 description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor
 keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Onboarding tools and methods for Windows 10 devices
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
 The following deployment tools and methods are supported:
 - Group Policy
 - Microsoft Endpoint Configuration Manager
 - Mobile Device Management (including Microsoft Intune)
 - Local script
 ## In this section
 Topic | Description
 :---|:---
 [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
 [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
 [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
 [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
 [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@ -1,56 +0,0 @@
 ---
 title: Optimize ASR rule deployment and detections
 description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
 keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Optimize ASR rule deployment and detections
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 > Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
 [Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
 ![Attack surface management card](images/secconmgmt_asr_card.png)<br>
 *Attack surface management card*
 The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
 * Understand how ASR rules are currently deployed in your organization.
 * Review ASR detections and identify possible incorrect detections.
 * Analyze the impact of exclusions and generate the list of file paths to exclude.
 Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
 ![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br>
 The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
 > [!NOTE]
 > To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
 For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
 **Related topics**
 * [Ensure your devices are configured properly](configure-machines.md)
 * [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md)
 * [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@ -1,74 +0,0 @@
 ---
 title: Get devices onboarded to Microsoft Defender ATP
 description: Track onboarding of Intune-managed devices to Microsoft Defender ATP and increase onboarding rate.
 keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Get devices onboarded to Microsoft Defender for Endpoint
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
 Before you can track and manage onboarding of devices:
 - [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
 - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
 ## Discover and track unprotected devices
 The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices.
 ![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
 *Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
 >[!NOTE]
 >If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices.
 ## Onboard more devices with Intune profiles
 Defender for Endpoint provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Defender for Endpoint sensor to select devices, effectively onboarding these devices to the service.
 From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
 ![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
   *Microsoft Defender ATP device compliance page on Intune device management*
 >[!TIP]
 >Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
 >[!NOTE]
 > If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
 From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either:
 - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
 - Create the device configuration profile from scratch.
 For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 ## Related topics
 - [Ensure your devices are configured properly](configure-machines.md)
 - [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md)
 - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@ -1,107 +0,0 @@
 ---
 title: Increase compliance to the Microsoft Defender ATP security baseline
 description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
 keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Increase compliance to the Microsoft Defender for Endpoint security baseline
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection.
 To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
 Before you can deploy and track compliance to security baselines:
 - [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
 - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
 ## Compare the Microsoft Defender ATP and the Windows Intune security baselines
 The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
 - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
 - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
 Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
 >[!NOTE]
 >The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
 ## Monitor compliance to the Defender for Endpoint security baseline
 The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline.
 ![Security baseline card](images/secconmgmt_baseline_card.png)<br>
 *Card showing compliance to the Defender for Endpoint security baseline*
 Each device is given one of the following status types:
 - **Matches baseline**—device settings match all the settings in the baseline
 - **Does not match baseline**—at least one device setting doesn't match the baseline
 - **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state
 - **Not applicable**—At least one baseline setting isn't applicable on the device
 To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
 >[!NOTE]
 >You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
 ## Review and assign the Microsoft Defender for Endpoint security baseline
 Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
   >[!TIP]
   > Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
 2. Create a new profile.
   ![Microsoft Defender for Endpoint security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)<br>
   *Microsoft Defender for Endpoint security baseline overview on Intune*
 3. During profile creation, you can review and adjust specific settings on the baseline.
   ![Security baseline options during profile creation on Intune](images/secconmgmt_baseline_intuneprofile2.png)<br>
   *Security baseline options during profile creation on Intune*
 4. Assign the profile to the appropriate device group.
   ![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
   *Assigning the security baseline profile on Intune*
 5. Create the profile to save it and deploy it to the assigned device group.
   ![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
   *Creating the security baseline profile on Intune*
 >[!TIP]
 >Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 ## Related topics
 - [Ensure your devices are configured properly](configure-machines.md)
 - [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md)
 - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@ -1,85 +0,0 @@
 ---
 title: Ensure your devices are configured properly
 description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
 keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.technology: mde
 ---
 # Ensure your devices are configured properly
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
 With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
 - Onboard to Microsoft Defender for Endpoint
 - Meet or exceed the Defender for Endpoint security baseline configuration
 - Have strategic attack surface mitigations in place
 Click **Configuration management** from the navigation menu to open the Device configuration management page.
 ![Security configuration management page](images/secconmgmt_main.png)<br>
 *Device configuration management page*
 You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
 In doing so, you benefit from:
 - Comprehensive visibility of the events on your devices
 - Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators
 - A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
 - Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
 ## Enroll devices to Intune management
 Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices.
 Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
 >[!NOTE]
 >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
 >[!TIP] 
 >To optimize device management through Intune, [connect Intune to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
 ## Obtain required permissions
 By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
 If you have been assigned other roles, ensure you have the necessary permissions:
 - Full permissions to device configurations
 - Full permissions to security baselines
 - Read permissions to device compliance policies
 - Read permissions to the organization
 ![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
 *Device configuration permissions on Intune*
 >[!TIP] 
 >To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
 ## In this section
 Topic | Description
 :---|:---
 [Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. 
 [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
 [Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@ -1,155 +0,0 @@
 ---
 title: Configure and manage Microsoft Threat Experts capabilities
 ms.reviewer: 
 description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work.
 keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
 search.product: Windows 10
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
 author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: article
 ms.technology: mde
 ---
 # Configure and manage Microsoft Threat Experts capabilities
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 ## Before you begin 
 > [!NOTE]
 > Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Microsoft Threat Experts - Targeted Attack Notification managed threat hunting service.
 Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
 If you're a Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.
 ## Apply for Microsoft Threat Experts - Targeted Attack Notifications service 
 If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center. 
 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts - Targeted Attack Notifications**.
 2. Click **Apply**.
    ![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png)
 3. Enter your name and email address so that Microsoft can get back to you on your application.
    ![Image of Microsoft Threat Experts application](images/mte-apply.png)
 4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
    ![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png)
 When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is “on”. In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle “off” and click **Save preferences** at the bottom of the page. 
 ## Where you'll see the targeted attack notifications from Microsoft Threat Experts 
 You can receive targeted attack notification from Microsoft Threat Experts through the following medium:  
 - The Defender for Endpoint portal's **Incidents** page 
 - The Defender for Endpoint portal's **Alerts** dashboard  
 - OData alerting [API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)
 - [DeviceAlertEvents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
 - Your email, if you choose to configure it 
 To receive targeted attack notifications through email, create an email notification rule.
 ### Create an email notification rule 
 You can create rules to send email notifications for notification recipients. See  [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
 ## View the targeted attack notification  
 You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.  
 1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**. 
 2. From the dashboard, select the same alert topic that you got from the email, to view the details.  
 ## Subscribe to Microsoft Threat Experts - Experts on Demand
 This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand. 
 ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization 
 You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard. 
 > [!NOTE]
 > - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
 > - You need to have the **Manage security settings** permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request. 
 2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**. 
    ![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png)
    A flyout screen opens. The following screen shows when you are on a trial subscription.
    ![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png)
    The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
    ![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png)
    The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
 3.  In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
 4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
 > [!NOTE]
 > If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Technical Account Manager. 
 Watch this video for a quick overview of the Microsoft Services Hub.
 >[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] 
 ## Sample investigation topics that you can consult with Microsoft Threat Experts - Experts on Demand 
 **Alert information**
 - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
 - We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
 - I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored?
 - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. 
 **Possible machine compromise**
 - Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
 - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
 **Threat intelligence details**
 - We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
 - I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor? 
 **Microsoft Threat Experts’ alert communications** 
 - Can your incident response team help us address the targeted attack notification that we got?
 - I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
 - I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
  >[!NOTE]
  >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
 ## Scenario
 ### Receive a progress report about your managed hunting inquiry 
 Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories: 
 - More information is needed to continue with the investigation 
 - A file or several file samples are needed to determine the technical context 
 - Investigation requires more time   
 - Initial information was enough to conclude the investigation 
 It is crucial to respond in quickly to keep the investigation moving. 
 ## Related topic
 - [Microsoft Threat Experts overview](microsoft-threat-experts.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@ -1,49 +0,0 @@
 ---
 title: Configure alert notifications that are sent to MSSPs
 description: Configure alert notifications that are sent to MSSPs
 keywords: managed security service provider, mssp, configure, integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure alert notifications that are sent to MSSPs 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
 >[!NOTE]
 >This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
 After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
 For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
 These check boxes must be checked:
 - **Include organization name** - The customer name will be added to email notifications
 - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
 ## Related topics
 - [Grant MSSP access to the portal](grant-mssp-access.md)
 - [Access the MSSP customer portal](access-mssp-portal.md)
 - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@ -1,78 +0,0 @@
 ---
 title: Configure managed security service provider support
 description: Take the necessary steps to configure the MSSP integration with the Microsoft Defender for Endpoint
 keywords: managed security service provider, mssp, configure, integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Configure managed security service provider integration
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
 [!include[Prerelease information](../../includes/prerelease.md)]
 You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
 >[!NOTE]
 >The following terms are used in this article to distinguish between the service provider and service consumer:
 > - MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
 > - MSSP customers: Organizations that engage the services of MSSPs.
 The integration will allow MSSPs to take the following actions:
 - Get access to MSSP customer's Microsoft Defender Security Center portal
 - Get email notifications, and 
 - Fetch alerts through security information and event management (SIEM) tools
 Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. 
 Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
 In general, the following configuration steps need to be taken:
 - **Grant the MSSP access to Microsoft Defender Security Center** <br>
 This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
 - **Configure alert notifications sent to MSSPs** <br>
 This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
 - **Fetch alerts from MSSP customer's tenant into SIEM system** <br> 
 This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
 - **Fetch alerts from MSSP customer's tenant using APIs** <br>
 This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
 ## Multi-tenant access for MSSPs
 For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
 ## Related topics
 - [Grant MSSP access to the portal](grant-mssp-access.md)
 - [Access the MSSP customer portal](access-mssp-portal.md)
 - [Configure alert notifications](configure-mssp-notifications.md)
 - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@ -1,225 +0,0 @@
 ---
 title: Configure device proxy and Internet connection settings
 description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service.
 keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
  - m365-security-compliance
  - m365initiative-defender-endpoint
 ms.topic: article
 ms.technology: mde
 ---
 # Configure device proxy and Internet connectivity settings
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
 The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.
 The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service.
 >[!TIP]
 >For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
 The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
 - Auto-discovery methods:
  - Transparent proxy
  - Web Proxy Auto-discovery Protocol (WPAD)
    > [!NOTE]
    > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
 - Manual static proxy configuration:
  - Registry based configuration
  - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
 ## Configure the proxy server manually using a registry-based static proxy
 Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet.
 The static proxy is configurable through Group Policy (GP). The group policy can be found under:
 - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
  - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
  ![Image of Group Policy setting1](images/atp-gpo-proxy1.png)
 - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
  - Configure the proxy:<br>
    ![Image of Group Policy setting2](images/atp-gpo-proxy2.png)
    The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
    The registry value `TelemetryProxyServer` takes the following string format:
    ```text
    <server name or ip>:<port>
    ```
    For example: 10.0.0.6:8080
    The registry value `DisableEnterpriseAuthProxy` should be set to 1.
 ## Configure the proxy server manually using netsh command
 Use netsh to configure a system-wide static proxy.
 > [!NOTE]
 > - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
 > - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
 1. Open an elevated command-line:
    a. Go to **Start** and type **cmd**.
    b. Right-click **Command prompt** and select **Run as administrator**.
 2. Enter the following command and press **Enter**:
   ```PowerShell
   netsh winhttp set proxy <proxy>:<port>
   ```
   For example: netsh winhttp set proxy 10.0.0.6:8080
 To reset the winhttp proxy, enter the following command and press **Enter**
 ```PowerShell
 netsh winhttp reset proxy
 ```
 See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
 ## Enable access to Microsoft Defender for Endpoint service URLs in the proxy server
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
 |**Spreadsheet of domains list**|**Description**|
 |:-----|:-----|
 |![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/>  | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx) 
 If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
 > [!NOTE]
 > settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.<br>
 > [!NOTE]
 > URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
 > [!NOTE]
 > If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
 If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
 ### Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server
 The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
 |Agent Resource|Ports |Direction |Bypass HTTPS inspection|
 |------|---------|--------|--------|   
 |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |  
 |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |  
 |*.blob.core.windows.net |Port 443 |Outbound|Yes |
 |*.azure-automation.net |Port 443 |Outbound|Yes |  
 > [!NOTE]
 > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
 ## Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements 
 Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows.
 1.	Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
 2.	Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal.
 3.	Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
 4.	Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)).
 ![Image of administrator in Windows PowerShell](images/admin-powershell.png)
 The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal.
 The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results. 
 > [!NOTE]
 > In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).
 ## Verify client connectivity to Microsoft Defender ATP service URLs
 Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.
 1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on.
 2. Extract the contents of MDATPClientAnalyzer.zip on the device.
 3. Open an elevated command-line:
    a. Go to **Start** and type **cmd**.
    b.  Right-click **Command prompt** and select **Run as administrator**.
 4. Enter the following command and press **Enter**:
    ```PowerShell
    HardDrivePath\MDATPClientAnalyzer.cmd
    ```
    Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
    ```PowerShell
    C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
    ```
 5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
 6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
   The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
   ```text
   Testing URL : https://xxx.microsoft.com/xxx
   1 - Default proxy: Succeeded (200)
   2 - Proxy auto discovery (WPAD): Succeeded (200)
   3 - Proxy disabled: Succeeded (200)
   4 - Named proxy: Doesn't exist
   5 - Command line proxy: Doesn't exist
   ```
 If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method. <br><br>
 However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
 > [!NOTE]
 > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
 > [!NOTE]
 > When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy.
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@ -1,286 +0,0 @@
 ---
 title: Onboard Windows servers to the Microsoft Defender for Endpoint service
 description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
 keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.author: macapara
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Onboard Windows servers to the Microsoft Defender for Endpoint service
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 **Platforms**
 - Windows Server 2008 R2 SP1
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server (SAC) version 1803 and later
 - Windows Server 2019 and later
 - Windows Server 2019 core edition
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
 Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
 For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
 For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
 <br>
 ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
 You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options:
 - **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)
 - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
 - **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later)
 After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
 > [!NOTE]
 > Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
 ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
 You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
 If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
 In general, you'll need to take the following steps:
 1. Fulfill the onboarding requirements outlined in **Before you begin** section.
 2. Turn on server monitoring from Microsoft Defender Security center.
 3. Install and configure MMA for the server to report sensor data to Defender for Endpoint.
 4. Configure and update System Center Endpoint Protection clients.
 > [!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
 #### Before you begin 
 Perform the following steps to fulfill the onboarding requirements:
 - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
    - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
 - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
    - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
    - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
 - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
    > [!NOTE]
    > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
 <span id="server-mma"/>
 ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard). <br>
    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
    - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
 > [!NOTE]
 > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
 <span id="server-proxy"/>
 ### Configure Windows server proxy and Internet connectivity settings if needed
 If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server:
 - [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)
 - [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md)
 If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. 
 Once completed, you should see onboarded Windows servers in the portal within an hour.
 ### Option 2: Onboard Windows servers through Azure Security Center
 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
 2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
 3. Click **Onboard Servers in Azure Security Center**.
 4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
 After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
 > [!NOTE]
 > - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
 > - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. 
 > - This is also required if the server is configured to use an OMS Gateway server as proxy.
 ### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later
 You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
 in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
 After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
 <br>
 ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
 You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
 - [Local script](configure-endpoints-script.md) 
 - [Group Policy](configure-endpoints-gp.md)
 - [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
 - [System Center Configuration Manager 2012 / 2012 R2  1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
 - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
 > [!NOTE]
 > - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
 > - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, or Microsoft Endpoint Configuration Manager.
 Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
 1. Configure Defender for Endpoint onboarding settings on the Windows server using the same tools and methods for Windows 10 devices. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
    1. Set the following registry entry:
       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
       - Name: ForceDefenderPassiveMode
       - Type: REG_DWORD
       - Value: 1
    1. Run the following PowerShell command to verify that the passive mode was configured:
       ```PowerShell
       Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
       ```
    1. Confirm  that a recent event containing the passive mode event is found:
       ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
 3. Run the following command to check if Microsoft Defender AV is installed:
   ```sc.exe query Windefend```
    If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
    For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
 <br>
 ## Integration with Azure Security Center
 Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
 The following capabilities are included in this integration:
 - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
    > [!NOTE]
    > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).
 - Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers.  In addition, Defender for Endpoint alerts will be available in the Azure Security Center console.
 - Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
 > [!IMPORTANT]
 > - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
 Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.
 > - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
 > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
 Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
 <br>
 ## Configure and update System Center Endpoint Protection clients
 Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
 The following steps are required to enable this integration:
 - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
 - [Configure the SCEP client Cloud Protection Service membership](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to the **Advanced** setting.
 <br>
 ## Offboard Windows servers
 You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
 For other Windows server versions, you have two options to offboard Windows servers from the service:
 - Uninstall the MMA agent
 - Remove the Defender for Endpoint workspace configuration
 > [!NOTE]
 > Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.
 ### Uninstall Windows servers by uninstalling the MMA agent
 To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint.
 For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
 ### Remove the Defender for Endpoint workspace configuration
 To offboard the Windows server, you can use either of the following methods:
 - Remove the Defender for Endpoint workspace configuration from the MMA agent
 - Run a PowerShell command to remove the configuration
 #### Remove the Defender for Endpoint workspace configuration from the MMA agent
 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
 2. Select the Defender for Endpoint workspace, and click **Remove**.
    ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png)
 #### Run a PowerShell command to remove the configuration
 1. Get your Workspace ID:
   1. In the navigation pane, select **Settings** > **Onboarding**.
   1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
      ![Image of Windows server onboarding](images/atp-server-offboarding-workspaceid.png)
 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
    ```powershell
    $ErrorActionPreference = "SilentlyContinue"
    # Load agent scripting object
    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
    # Remove OMS Workspace
    $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
    # Reload the configuration and apply changes
    $AgentCfg.ReloadConfiguration()
    ```
 <br>
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Onboard non-Windows devices](configure-endpoints-non-windows.md)
 - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
 - [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md)
 - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
--- a/Show More
+++ b/Show More