add NP troubleshooting, change add TOC, update ASR with info on file attachment.

windows/threat-protection/TOC.md

@@ -229,10 +229,11 @@
 #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
 #### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
 ### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
 #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
 #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
 ### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
 #### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
 #### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md

@@ -26,12 +26,15 @@ ms.date: 11/01/2017
 
 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. 
 
-In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
+In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md).
 
-Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) topic, met all required pre-requisites, and taken any other suggested troubleshooting steps.
+Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics:
+- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) 
+- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) 
 
 
-1. On the endpoint where the rule is not functioning, obtain the .cab diagnostic file by following this process:
+
+1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process:
 
     1. Open an administrator-level version of the command prompt:
         
@@ -58,10 +61,6 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D
 2. Attach this .cab file to the submission form where indicated.
 
 
-
-
-## Related topics
-
 ## Related topics
 
 - [Troubleshoot Attack surface reduction rules](#troubleshoot-asr.md)

windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md

@@ -42,7 +42,7 @@ There are four steps to troubleshooting these problems:
 
 ## Confirm pre-requisites
 
-Windows Defender Exploit Guard will only work on devices with the following conditions:
+Attack surface reduction (ASR) will only work on devices with the following conditions:
 
 >[!div class="checklist"]
 > - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
@@ -106,8 +106,16 @@ If you have followed all previous troubleshooting steps, and you still have a pr
 
 ## Collect diagnostic data
 
+You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with ASR.
+
+When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
+
+You must also attach associated files in a .zip file (such as the file or executable that is not being blocked, or being incorrectly blocked) along with a diagnostic .cab file to your submission. 
+
+Follow the link below for instructions on how to collect the .cab file:
+
 > [!div class="nextstepaction"]
-> [Collect and submit diagnostic data for ASR rules](collect-cab-files-exploit-guard-submission.md)
+> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
 
 
 

windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md

@@ -0,0 +1,104 @@
+---
+title: Troubleshoot problems with Network protection
+description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
+keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 11/02/2017
+---
+
+# Troubleshoot Network protection
+
+**Applies to:**
+
+- Windows 10, version 1709
+
+**Audience**
+
+- IT administrators
+
+When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+
+- Network protection blocks a website that is safe (false positive)
+- Network protection fails to block a suspicious or known malicious website (false negative)
+
+
+
+There are four steps to troubleshooting these problems:
+
+1. Confirm that you have met all pre-requisites
+2. Use audit mode to test the rule
+3. Add exclusions for the specified rule (for false positives)
+3. Submit support logs
+
+
+
+## Confirm pre-requisites
+
+Windows Defender Exploit Guard will only work on devices with the following conditions:
+
+>[!div class="checklist"]
+> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
+> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules).
+
+
+If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
+
+## Use audit mode to test the rule
+
+There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
+
+You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions.
+
+If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
+
+>[!TIP]
+>While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. 
+
+You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
+
+1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
+2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+
+
+>[!IMPORTANT] 
+>Audit mode will stop the Network protection from blocking known malicious connections. 
+>
+>If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. 
+>
+>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+
+
+If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. 
+
+## Report a false positive or false negative
+
+You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with Network protection.
+
+When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
+
+You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file:
+
+> [!div class="nextstepaction"]
+> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
+
+
+
+
+
+
+## Related topics
+
+- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+- [Network protection](network-protection-exploit-guard.md)