solve merge conflicts

devices/surface-hub/TOC.md

@@ -20,6 +20,7 @@
 ### [Configure Easy Authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md)
 
 ## Deploy
+### [First run setup for Surface Hub 2S](surface-hub-2s-setup.md)
 ### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md)
 ### [Create Surface Hub 2S device account](surface-hub-2s-account.md)
 ### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)

devices/surface-hub/surface-hub-2s-pack-components.md

@@ -19,15 +19,9 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor
 >[!IMPORTANT]  
 >When packing your device for shipment, make sure that you use the packaging in which your replacement device arrived.  
 
-This article contains the following procedures:
+## How to pack your Surface Hub 2S 50”
 
-- [How to pack your Surface Hub 2S 55”](#how-to-pack-your-surface-hub-2s-55)  
+Use the following steps to pack your Surface Hub 2S 50" for shipment.
-- [How to replace and pack your Surface Hub 2S Compute Cartridge](#how-to-replace-and-pack-your-surface-hub-2s-compute-cartridge)  
-- [How to replace your Surface Hub 2S Camera](#how-to-replace-your-surface-hub-2s-camera)  
-
-## How to pack your Surface Hub 2S 55”
-
-Use the following steps to pack your Surface Hub 2S 55" for shipment.
 
 ![The Surface Hub unit and mobile stand.](images/surface-hub-2s-repack-1.png)
 

devices/surface-hub/surface-hub-2s-setup.md

@@ -0,0 +1,99 @@
+---
+title: "First time Setup  for Surface Hub 2S"
+description: "Learn how to complete first time Setup for Surface Hub 2S."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: robmazz
+ms.author: robmazz
+audience: Admin
+ms.topic: article
+ms.localizationpriority: Normal
+---
+
+# First time Setup for Surface Hub 2S
+
+When you first start Surface Hub 2S, the device automatically enters first time Setup mode to guide you through account configuration and related settings.
+
+## Configuring Surface Hub 2S account
+
+1. **Configure your locale.** Enter region, language, keyboard layout and time zone information. Select **Next**.
+
+   ![* Configure your locale *](images/sh2-run1.png) <br>
+1. **Connect  to a wireless network.** Choose your preferred wireless network and select **Next.**
+
+- This option is not shown if connected using an Ethernet cable.
+- You cannot connect to a wireless network in hotspots (captive portals) that redirect sign-in requests to a provider’s website.
+
+3. **Enter device account info.** Use **domain\user** for on-premises and hybrid environments and **user@example.com** for online environments. Select **Next.**
+
+   ![* Enter device account info *](images/sh2-run2.png) <br>
+1. **Enter additional info.** If requested, provide your Exchange server address and then select **Next.**
+
+    ![* Enter more info; for example, Exchange server name*](images/sh2-run3.png) <br>
+
+1. **Name this device.** Enter a name for your device or use the suggested one based on your account’s display name and user principle name [UPN]. **Select Next**.
+
+- The **Friendly name** is visible on the bottom left corner of Surface Hub 2S and is shown when projecting to the device.
+
+- The **Device name** identifies the device when affiliated with Active Directory or Azure Active Directory, and when enrolling the device with Intune.
+
+  ![* Name this device*](images/sh2-run4.png) <br>
+ 
+## Configuring device admin accounts
+
+You can only set up device admins during first time Setup. For more information, refer to [Surface Hub 2S device affiliation](https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-prepare-environment#device-affiliation).
+
+ In the **Setup admins for this device** window, select one of the following options: Active Directory Domain Services, Azure Active Directory, or Local admin.
+
+   ![* Setup admins for this device *](images/sh2-run5.png) <br>
+
+### Active Directory Domain Services
+
+1. Enter the credentials of a user who has permissions to join the device to Active Directory.
+
+    ![* Setup admins using domain join *](images/sh2-run6.png) <br>
+
+2. Select the Active Directory Security Group containing members allowed to log on to the Settings app on Surface Hub 2S.
+
+    ![* Enter a security group *](images/sh2-run7.png) <br>
+1. Select **Finish**. The device will restart.
+
+### Azure Active Directory
+
+When choosing to affiliate your device with Azure Active Directory, the device will immediately restart and display the following page. Select **Next**.
+
+![* If your organization uses Office 365 or other business services from Microsoft, we’ll enrolll this device with your organization*](images/sh2-run8.png) <br>
+
+1. Enter the email address or UPN of an account **with Intune Plan 1** or greater and then select **Next.**
+
+    ![* Enter work or school account*](images/sh2-run9.png) <br>
+
+2. If redirected, authenticate using your organization’s sign-in page and provide additional logon information if requested. The device will restart.
+
+## Local Administrator account
+
+- Enter a username and password for your local admin. The device will restart.
+
+     ![* Set up an admin account*](images/sh2-run10.png) <br>
+ 
+## Using provisioning packages
+
+If you insert a USB thumb drive with a provisioning package into one of the USB ports when you start Surface Hub 2S, the device displays the following page.
+
+1. Enter the requested settings and select **Set up**.
+
+    ![* Enter regional settings for provisioning package*](images/sh2-run11.png) <br>
+
+    ![* Provision this device from removable media*](images/sh2-run12.png) <br>
+2. Choose the provisioning package you’d like to use.
+
+   ![* Choose provisioning package to use*](images/sh2-run13.png) <br>
+
+3. If you created a multiple devices CSV file, you will be able to choose a device configuration. For more information, refer to [Create provisioning packages for Surface Hub 2S](https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-deploy#provisioning-multiple-devices-csv-file).
+
+
+    ![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png) <br>
+
+ 4. Follow the instructions to complete first time Setup.
+

devices/surface-hub/surface-hub-2s-startup.md

@@ -1,15 +0,0 @@
----
-title: "Out-of-box startup for Surface Hub 2S"
-description: "Learn about starting Surface Hub 2S for the first time."
-keywords: separate values with commas
-ms.prod: surface-hub
-ms.sitesec: library
-author: robmazz
-ms.author: robmazz
-audience: Admin
-ms.topic: article
-ms.localizationpriority: Normal
-ROBOTS: NOINDEX, NOFOLLOW
----
-
-# Out-of-box startup for Surface Hub 2S

devices/surface/TOC.md

@@ -30,7 +30,7 @@
 ### [Surface System SKU reference](surface-system-sku-reference.md)
 
 ## Manage
-### [Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
+### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
 ### [Battery Limit setting](battery-limit.md)
 ### [Surface Brightness Control](microsoft-surface-brightness-control.md)
 ### [Surface Asset Tag](assettag.md)
@@ -48,7 +48,8 @@
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 
 ## Support
-### [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
+### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
 ### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
 ### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
 ### [Surface Data Eraser](microsoft-surface-data-eraser.md)

devices/surface/change-history-for-surface.md

@@ -15,19 +15,27 @@ ms.topic: article
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## July 2019
+
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)              | Renamed to reflect focus on deployment guidance for IT professionals. Covers minor changes in Version 2.41.139.0.   |
+
+
+
 ## June 2019
 
-New or changed topic | Description
+| **New or changed topic** | **Description** |
---- | ---
+| ------------------------ | --------------- |
+|[Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)             | New introductory page for the Surface Diagnostic Toolkit for Business.  |
+| [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)               |Updated with summary of recommendations for managing power settings and optimizing battery life.   |
 
-[Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md) | New
 
 ## March 2019
 
-New or changed topic | Description
+| **New or changed topic** | **Description** |
---- | ---
+| ------------------------ | --------------- |
-
+| [Surface System SKU reference](surface-system-sku-reference.md) | New    |
-[Surface System SKU reference](surface-system-sku-reference.md) | New
 
 
 ## February 2019

devices/surface/surface-diagnostic-toolkit-business.md

@@ -33,7 +33,7 @@ To run SDT for Business, download the components listed in the following table.
 Mode |	Primary scenarios | Download | Learn more
 --- | --- | --- | ---
 Desktop mode |	Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:<br>Microsoft Surface Diagnostic Toolkit for Business Installer<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
-Command line |	Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br>`-warranty` checks warranty information. <br><br>| SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
+Command line |	Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows Update for missing firmware or driver updates.<br>`-warranty` checks warranty information. <br><br>| SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
 
 ## Supported devices 
 
@@ -123,21 +123,22 @@ Creating a custom package allows you to target the tool to specific known issues
 
     *Figure 3. Create custom package*
 
-### Language and telemetry page
+### Language and telemetry settings
 
-  
+  When creating a package, you can select language settings or opt out of sending telemetry information to Microsoft. By default, SDT sends telemetry to Microsoft that is used to improve the application in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). If you wish to decline, clear the check box when creating a custom package, as shown below. Or clear the **Send telemetry to Microsoft** check box on the **Install Options** page during SDT Setup. 
-When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline.
 
 >[!NOTE]
->This setting is limited to only sharing data generated while running packages. 
+>This setting does not affect the minimal telemetry automatically stored on Microsoft servers when running tests and repairs that require an Internet connection, such as Windows Update and Software repair, or providing feedback using the Smile or Frown buttons in the app toolbar. 
+
 
 ![Select language and telemetry settings](images/sdt-4.png)
 
 *Figure 4. Select language and telemetry settings*
 
+
 ### Windows Update page
 
-Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. 
+Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows Update packages or WSUS, enter the path as appropriate. 
 
 ![Select Windows Update option](images/sdt-5.png)
 
@@ -170,8 +171,8 @@ You can select to run a wide range of logs across applications, drivers, hardwar
 *Release date: June 24, 2019*<br>
 This version of Surface Diagnostic Toolkit for Business adds support for the following: 
 - Driver version information included in logs and report.
-- Ability to provide feedback about the app <br>
+- Ability to provide feedback about the app.<br>
-Please note that even though you turn off telemtry, windows update and feedback still connect to the internet.
+
 
 ### Version 2.36.139.0
 *Release date: April 26, 2019*<br>
@@ -180,11 +181,3 @@ This version of Surface Diagnostic Toolkit for Business adds support for the fol
 - Accessibility improvements.
 - Surface brightness control settings included in logs.
 - External monitor compatibility support link in report generator.
-
-
-
-
-
-
-
-

education/index.md

@@ -55,8 +55,8 @@ ms.prod: w10
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>Deployment Overview</h3>
+                                                    <h3>Deployment Guidance</h3>
-                                                    <p>Learn how to deploy our suite of education offerings. Set up a cloud infrastructure for your school, acquire apps, and configure and manage Windows 10 devices.</p>
+                                                    <p>Dive right into the step-by-step process for the easiest deployment path to M365 EDU. We walk you through setting up cloud infrastructure, configuring and managing devices, and migrating on-premise servers for Sharepoint and Exchange to the cloud.</p>
                                                 </div>
                                             </div>
                                         </div>
@@ -76,7 +76,7 @@ ms.prod: w10
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>1. Cloud deployment</h3>
+                                                    <h3>1. M365 EDU deployment</h3>
                                                     <p>Get started by creating your Office 365 tenant, setting up a cloud infrastructure for your school, and creating, managing, and syncing user accounts.</p>
                                                 </div>
                                             </div>
@@ -104,7 +104,7 @@ ms.prod: w10
                                 </a>
                             </li>
                             <li>
-                                <a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-atft" target="_blank">
+                                <a href="/microsoft-365/education/deploy/post-deployment-next-steps" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -114,8 +114,8 @@ ms.prod: w10
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>3. Tools for Teachers</h3>
+                                                    <h3>3. Post Deployment Next Steps</h3>
-                                                    <p>The latest classroom resources at teachers’ fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.</p>
+                                                    <p>Migrate to Sharepoint Server Hybrid or Sharepoint Online, and Exchange Server Hybrid or Exchange Online. Configure settings in your Admin portals.</p>
                                                 </div>
                                             </div>
                                         </div>

windows/deployment/windows-autopilot/self-deploying.md

@@ -37,8 +37,8 @@ Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage
 
 Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode.  The devices must also support TPM device attestation.  (All newly-manufactured Windows devices should meet these requirements.)
 
->[!NOTE]
+>[!IMPORTANT]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
 
 In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed.  See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. 
 

windows/release-information/windows-message-center.yml

@@ -51,8 +51,8 @@ sections:
       <table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
       
       <tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/' target='_blank'><b>Evolving Windows 10 servicing and quality</b></a><br><div>Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the <a href='https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968' target='_blank'>Windows IT Pro Blog</a> for more details on how to plan for this new update option in your environment.</div></td><td>July 01, 2019 <br>02:00 PM PT</td></tr>
-      <tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b></a><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
+      <tr><td><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
-      <tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 available by selecting “Check for updates”</b></a><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
+      <tr><td><b>Windows 10, version 1903 available by selecting “Check for updates”</b><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
       <tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97' target='_blank'><b>Windows 10, version 1903 rollout begins</b></a><br>The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.</td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
       <tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064' target='_blank'><b>What’s new in Windows Update for Business</b></a><br>We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
       <tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024' target='_blank'><b>What’s new for businesses and IT pros in Windows 10</b></a><br>Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>

windows/security/threat-protection/microsoft-defender-atp/TOC.md

@@ -70,9 +70,6 @@
 ###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
 ###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
 ###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
 
 
 ##### [Investigate entities using Live response](live-response.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-features.md

@@ -29,9 +29,11 @@ Depending on the Microsoft security products that you use, some advanced feature
 Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
 
 ## Automated investigation
+
 When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
 
 ## Live response
+
 When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
 
 For more information on role assignments see, [Create and manage roles](user-roles.md).
@@ -39,8 +41,8 @@ For more information on role assignments see, [Create and manage roles](user-rol
 ## Live response unsigned script execution
 Enabling this feature allows you to run unsigned scripts in a live response session.
 
-
 ## Auto-resolve remediated alerts
+
 For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
 
 >[!TIP]
@@ -50,14 +52,28 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
 >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 
-
 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
 
-If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
+
+This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
+
+To turn **Block or allow** files on:
+
+1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+
+1. Toggle the setting between **On** and **Off**.
+
+    ![Image of advanced settings for block file feature](images/atp-preferences-setup.png)
+
+1. Select **Save preferences** at the bottom of the page.
+
+Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
 
 ## Show user details
+
 When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
+
 - Security operations dashboard
 - Alert queue
 - Machine details page
@@ -65,20 +81,21 @@ When you enable this feature, you'll be able to see user details stored in Azure
 For more information, see [Investigate a user account](investigate-user.md).
 
 ## Skype for Business integration
+
 Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
 
 >[!NOTE]
 > When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
 
-
 ## Azure Advanced Threat Protection integration
-The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
 
+The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
 
 >[!NOTE]
 >You'll need to have the appropriate license to enable this feature.
 
 ### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
 To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
 
 1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@@ -90,6 +107,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
 When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
 
 ## Office 365 Threat Intelligence connection
+
 This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
 
 When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
@@ -100,22 +118,25 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
 
 ## Microsoft Threat Experts
+
 Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while  experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
 
 >[!NOTE]
 >The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
 
 ## Microsoft Cloud App Security
+
 Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
 
 >[!NOTE]
 >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
 
 ## Azure Information Protection
+
 Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
 
-
 ## Microsoft Intune connection
+
 This feature is only available if you have an active Microsoft Intune (Intune) license.
 
 When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
@@ -123,18 +144,20 @@ When you enable this feature, you'll be able to share Microsoft Defender ATP dev
 >[!NOTE]
 >You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
 
-
 ## Preview features
+
 Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
 
 You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
 
 ## Enable advanced features
+
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
 3. Click **Save preferences**.
 
 ## Related topics
+
 - [Update data retention settings](data-retention-settings.md)
 - [Configure alert notifications](configure-email-notifications.md)
 - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md

@@ -23,7 +23,7 @@ ms.date: 08/15/2018
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
 
-To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
 
 ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
 
@@ -151,6 +151,3 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows
 ## Related topic
 - [Advanced hunting reference](advanced-hunting-reference.md)
 - [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-
-

windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md

@@ -93,6 +93,9 @@ You can choose to limit the list of alerts based on their status.
 ### Investigation state
 Corresponds to the automated investigation state.
 
+### Category
+You can choose to filter the queue to display specific types of malicious activity.
+
 ### Assigned to
 You can choose between showing alerts that are assigned to you or automation.
 

windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md

@@ -39,19 +39,19 @@ Field numbers match the numbers in the images below.
 > 
 > | Portal   label   | SIEM field name           | ArcSight field      | Example value                                                                      | Description                                                                                                                                                                    |
 > |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1                | AlertTitle                | name                | A dll was unexpectedly loaded into   a high integrity process without a UAC prompt | Value available for every alert.                                                                                                                                               |
+> | 1                | AlertTitle                | name                | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert.                                                                                                                                               |
-> | 2                | Severity                  | deviceSeverity      | Medium                                                                             | Value available for every alert.                                                                                                                                               |
+> | 2                | Severity                  | deviceSeverity      | High                                                                             | Value available for every alert.                                                                                                                                               |
-> | 3                | Category                  | deviceEventCategory | Privilege Escalation                                                               | Value available for every alert.                                                                                                                                               |
+> | 3                | Category                  | deviceEventCategory | Malware                                                               | Value available for every alert.                                                                                                                                               |
-> | 4                | Source                    | sourceServiceName   | WindowsDefenderATP                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
+> | 4                | Detection source                    | sourceServiceName   | Antivirus                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
-> | 5                | MachineName               | sourceHostName      | liz-bean                                                                           | Value available for every alert.                                                                                                                                               |
+> | 5                | MachineName               | sourceHostName      | desktop-4a5ngd6                                                                           | Value available for every alert.                                                                                                                                               |
 > | 6                | FileName                  | fileName            | Robocopy.exe                                                                       | Available for alerts associated   with a file or process.                                                                                                                      |
 > | 7                | FilePath                  | filePath            | C:\Windows\System32\Robocopy.exe                                                   | Available for alerts associated   with a file or process.                                                                                                                     |
-> | 8                | UserDomain                | sourceNtDomain      | contoso                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
+> | 8                | UserDomain                | sourceNtDomain      | CONTOSO                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
-> | 9                | UserName                  | sourceUserName      | liz-bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
+> | 9                | UserName                  | sourceUserName      | liz.bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
-> | 10               | Sha1                      | fileHash            | 5b4b3985339529be3151d331395f667e1d5b7f35                                           | Available for alerts associated   with a file or process.                                                                                                                      |
+> | 10               | Sha1                      | fileHash            | 3da065e07b990034e9db7842167f70b63aa5329                                           | Available for alerts associated   with a file or process.                                                                                                                      |
-> | 11               | Md5                       | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 11               | Sha256                    | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-> | 12               | Sha256                    | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 12               | Md5                       | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-> | 13               | ThreatName                | eviceCustomString1  | Trojan:Win32/Skeeyah.A!bit                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 13               | ThreatName                | deviceCustomString1  | HackTool:Win32/Mikatz!dha                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
 > | 14               | IpAddress                 | sourceAddress       | 218.90.204.141                                                                     | Available for alerts associated   to network events. For example, 'Communication to a malicious network   destination'.                                                        |
 > | 15               | Url                       | requestUrl          | down.esales360.cn                                                                  | Available for alerts associated to   network events. For example, 'Communication to a malicious network   destination'.                                                         |
 > | 16               | RemediationIsSuccess      | deviceCustomNumber2 | TRUE                                                                               | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
@@ -60,7 +60,7 @@ Field numbers match the numbers in the images below.
 > | 19               | LinkToWDATP               | flexString1         | `https://securitycenter.windows.com/alert/636210704265059241_673569822`            | Value available for every alert.                                                                                                                                               |
 > | 20               | AlertTime                 | deviceReceiptTime   | 2017-05-07T01:56:59.3191352Z                                                       | The time the activity relevant to   the alert occurred. Value available for every alert.                                                                                       |
 > | 21               | MachineDomain             | sourceDnsDomain     | contoso.com                                                                        | Domain name not relevant for AAD   joined machines. Value available for every alert.                                                                                           |
-> | 22               | Actor                     | deviceCustomString4 |                                                                                    | Available for alerts related to a   known actor group.                                                                                                                         |
+> | 22               | Actor                     | deviceCustomString4 | BORON                                                                                   | Available for alerts related to a   known actor group.                                                                                                                         |
 > | 21+5             | ComputerDnsName           | No mapping          | liz-bean.contoso.com                                                               | The machine fully qualified   domain name. Value available for every alert.                                                                                                    |
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For machines on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |

windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md

@@ -25,7 +25,7 @@ ms.date: 04/24/2018
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
 
-The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
 There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
 - **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
@@ -44,7 +44,7 @@ You can filter the health state list by the following status:
 - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
 
 
-You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+You can view the machine details when you click on a misconfigured or inactive machine.
 
 ![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png)
 

windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md

@@ -69,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em
 
 Here's an example email notification:
 
-![Image of example email notification](images/email-notification.png)
+![Image of example email notification](images/atp-example-email-notification.png)
 
 ## Edit a notification rule
 1. Select the notification rule you'd like to edit.