Merge branch 'main' into painbar-toc-change-for-linux

Author: paulinbar

defender-endpoint/network-protection.md

@@ -74,7 +74,7 @@ There might be up to two hours of latency (usually less) between when an indicat
 Network protection requires devices running one of the following operating systems:
 
 - Windows 10 or 11 (Pro or Enterprise) (see [Supported Windows versions](minimum-requirements.md#windows-versions-supported-by-defender-for-endpoint))
-- Windows Server, version 1803 or later (see [Supported Windows versions](minimum-requirements.md#windows-versions-supported-by-defender-for-endpoint))
+- Windows Server 2012 R2, Windows Server 2016, or Windows Server version 1803 or later (see [Supported Windows versions](minimum-requirements.md#windows-versions-supported-by-defender-for-endpoint))
 - macOS version 12 (Monterey) or later (see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))
 - A supported Linux version (see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md))
 
@@ -87,7 +87,7 @@ Network protection also requires Microsoft Defender Antivirus with real-time pro
 
 ## Why network protection is important
 
-Network protection is a part of the [attack surface reduction](overview-attack-surface-reduction.md) group of solutions in Microsoft Defender for Endpoint. Network protection enables the network layer to block connections to domains and IP addresses. By default, network protection guards your computers from known malicious domains using the SmartScreen feed, which blocks malicious URLs in a manner similar to SmartScreen in Microsoft Edge browser. The network protection functionality can be extended to:
+Network protection is a part of the [attack surface reduction](overview-attack-surface-reduction.md) group of solutions in Microsoft Defender for Endpoint. Network protection enables the network layer to block connections to domains and IP addresses. By default, network protection guards your computers from known malicious domains using the SmartScreen feed, which blocks malicious URLs in a manner similar to SmartScreen in the Microsoft Edge browser. The network protection functionality can be extended to:
 
 - Block IP/URL addresses from your own threat intelligence ([indicators](indicator-ip-domain.md))
 - Block unsanctioned services from [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
@@ -182,15 +182,15 @@ When a user visits a website whose url has a bad reputation, a toast notificatio
 - **Ok**: The toast notification is released (removed), and the attempt to access the site is ended.
 - **Feedback**: The toast notification presents the user with a link to submit a ticket, which the user can use to submit feedback to the administrator in an attempt to justify access to the site.
 
-:::image type="content" source="media/network-protection-phishing-blocked.png" alt-text="Shows a network protection known phishing content blocked notification." lightbox="media/network-protection-phishing-blocked.png":::
+:::image type="content" source="media/network-protection-phishing-blocked.png" alt-text="Shows a network protection known phishing content blocked notification." lightbox="media/network-protection-phishing-blocked.png":::Your security operations team can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) shown for a blocked connection with your organization's details and contact information.
 
 ## SmartScreen Unblock
 
 With indicators in Defender for Endpoint, administrators can allow end users to bypass warnings that are generated for some URLs and IPs. Depending on why the URL is blocked, when a SmartScreen block is encountered, it could offer the user the ability to unblock the site for up to 24 hours. In such cases, a Windows Security toast notification appears, permitting the user to select **Unblock**. In such cases, the URL or IP is unblocked for the specified period of time.  
 
 :::image type="content" source="media/network-protection-smart-screen-block-notification.png" alt-text="Windows Security notification for network protection.":::
 
-Microsoft Defender for Endpoint administrators can configure SmartScreen Unblock functionality in the [Microsoft Defender portal](https://security.microsoft.com) using an allow indicator for IPs, URLs, and domains.
+Microsoft Defender for Endpoint administrators can unblock any URL in the [Microsoft Defender portal](https://security.microsoft.com) using an allow indicator for IPs, URLs, and domains.
 
 :::image type="content" source="media/network-protection-smart-screen-block-configuration.png" alt-text="Network protection SmartScreen block configuration URL and IP form.":::
 
@@ -269,16 +269,13 @@ DeviceEvents
 
 You can use the resulting list of URLs and IPs to determine what would be blocked if network protection is set to block mode on the device. You can also see which features would block URLs and IPs. Review the list to identify any URLS or IPs that are necessary for your environment. You can then create an allow indicator for those URLs or IP addresses. Allow indicators take precedence over any blocks. See [Order of precedence for Network protection blocks](web-protection-overview.md#order-of-precedence).
 
-After creating an indicator to unblock a site, you may attempt to resolve the original block as follows:
+After creating an allow indicator to unblock a site, you may attempt to resolve the original block as follows:
 
 - **SmartScreen**: report false positive, if appropriate
 - **Indicator**: modify existing indicator
 - **MCA**: review unsanctioned app
 - **WCF**: request recategorization
 
-> [!NOTE]
-> As this is a per-device setting, if there are devices that cannot move to Block mode you can simply leave them on audit to receive the auditing events.
-
 For information about how to report false positives in SmartScreen data, see [Report false positives](web-protection-overview.md#report-false-positives).
 
 For details on how to create your own Power BI reports, see [Create custom reports using Power BI](api/api-power-bi.md).
@@ -298,11 +295,7 @@ In non-Microsoft Edge processes, Network Protection determines the fully qualifi
 
 ## Viewing network protection events
 
-Network protection works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into exploit protection events and blocks as part of [alert investigation scenarios](investigate-alerts.md).
-
-When network protection blocks a connection, a notification is displayed on the client. Your security operations team can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your organization's details and contact information.
-
-<a name='review-network-protection-events-in-the-microsoft-365-defender-portal'></a>
+Network protection works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting as part of [alert investigation scenarios](investigate-alerts.md).<a name='review-network-protection-events-in-the-microsoft-365-defender-portal'></a>
 
 ## Review network protection events in the Microsoft Defender portal
 
@@ -347,7 +340,7 @@ Due to the multi-user nature of Windows 10 Enterprise, keep the following points
 
 ### Alternative option for network protection
 
-For Windows Server 2012 R2 and Windows Server 2016 using the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later, used in Windows Virtual Desktop on Azure, network protection for Microsoft Edge can be enabled using the following method:
+For Windows Server 2012 R2 and Windows Server 2016 using the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later, used in Windows Virtual Desktop on Azure, network protection can be enabled using the following method:
 
 1. Use [Turn on network protection](enable-network-protection.md) and follow the instructions to apply your policy.
 
@@ -359,8 +352,8 @@ For Windows Server 2012 R2 and Windows Server 2016 using the [modern unified sol
    - `Set-MpPreference -AllowDatagramProcessingOnWinServer 1`
 
    > [!NOTE]
-   > In some cases, depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can have an effect on network performance.
-
+   > Depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can have an effect on network performance.
+   
 ### Network protection for Windows Servers
 
 The following information is specific to Windows Servers.
@@ -385,7 +378,7 @@ Verify whether network protection is enabled on a local device by using Registry
 
 For more information, see [Turn on network protection](enable-network-protection.md).
 
-#### Network protection suggested registry keys
+#### Network protection registry keys
 
 For Windows Server 2012 R2 and Windows Server 2016 using the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later (used in Windows Virtual Desktop on Azure), enable other registry keys, as follows:
 
@@ -419,7 +412,7 @@ Set-MpPreference -AllowDatagramProcessingOnWinServer 1
 ```
 
 > [!NOTE]
-> In some cases, depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can affect network performance.
+> Depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can affect network performance.
 
 ## Network protection troubleshooting
 
@@ -451,7 +444,7 @@ New-NetFirewallRule @ruleParams
 
 ## Optimizing network protection performance
 
-Network protection includes performance optimization that allows `block` mode to asynchronously inspect long-lived connections, which might provide a performance improvement. This optimization can also help with app compatibility problems. This capability is on by default. 
+Network protection includes a performance optimization that allows `block` mode to inspect long-lived connections asynchronously, which might provide a performance improvement. This optimization can also help with app compatibility problems. This capability is on by default. 
 
 #### Use CSP to enable AllowSwitchToAsyncInspection