Merge branch 'mdi-alerts-update' of https://github.com/AbbyMSFT/defender-docs-pr into mdi-alerts-update

Author: AbbyMSFT

defender-endpoint/TOC.yml

@@ -803,6 +803,8 @@
         href: microsoft-defender-endpoint-antivirus-performance-mode.md
       - name: Compatibility with other security products
         href: microsoft-defender-antivirus-compatibility.md
+      - name: Defender for Endpoint passive mode
+        href: microsoft-defender-passive-mode.md
       - name: Microsoft Defender Antivirus and third-party antivirus solutions without
           Defender for Endpoint
         href: defender-antivirus-compatibility-without-mde.md

defender-endpoint/configure-endpoints-vdi.md

@@ -103,6 +103,10 @@ The following steps guide you through onboarding VDI devices and highlight steps
    | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it's triggered automatically. |
    | Multiple entries for each device | 1. Select the **Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. |
 
+   > [!NOTE]
+   > When using the 'Single entry for each device' onboarding method for non-persistent VDI environments, ensure that the Onboard-NonPersistentMachine.ps1 script is executed only after the virtual machine has received its final hostname and completed its final reboot.<br>
+   > For example, if your VDI provisioning process includes multiple reboots or configuration stages after the VM is cloned from a master image, delay the script execution until the last reboot is complete and final machine name is assigned.<br> Running the script too early may result in duplicate device entries or inconsistent onboarding to Microsoft Defender for Endpoint.
+
 5. Test your solution by following these steps:
 
    1. Create a pool with one device.

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 06/06/2025
+ms.date: 07/30/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -79,7 +79,7 @@ Understand the following prerequisites before you create indicators for files:
 
 ## Create an indicator for files from the settings page
 
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
+1. In the navigation pane, select **System** \> **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
 
 2. Select the **File hashes** tab.
 

defender-endpoint/microsoft-defender-core-service-overview.md

@@ -33,37 +33,50 @@ To enhance your endpoint security experience, Microsoft is releasing the Microso
    - Mid April 2024 to Enterprise customers running Windows clients.
    - Beginning of July 2024 to U.S. Government customers running Windows clients.
 
-   - Mid January 2025 to Enterprise customers running Windows Server.
+      The Microsoft Defender Core service for Windows Server is releasing with [Microsoft Defender Antivirus platform version 4.18.25050.5.](/defender-endpoint/microsoft-defender-antivirus-updates)
 
-3. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
+   - Mid July 2025 to Enterprise customers running Windows Server 2019 or later.
+      
+   - Mid September 2025 to Enterprise customers running the [unified Microsoft Defender for Endpoint client](/defender-endpoint/update-agent-mma-windows) for Windows Server 2012 R2 or Windows Server 2016.
+      
+1. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
 
-4. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience:
+1. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience:
 
    Enterprise customers should allow the following URLs:
 
    - `*.endpoint.security.microsoft.com`
+      
    - `ecs.office.com/config/v1/MicrosoftWindowsDefenderClient`
+      
    - `*.events.data.microsoft.com`
 
    If you don't want to use the wildcards for `*.events.data.microsoft.com`, you can use:
 
    - `us-mobile.events.data.microsoft.com/OneCollector/1.0`   
    - `eu-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `uk-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `au-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `mobile.events.data.microsoft.com/OneCollector/1.0`
-   
+      
    Enterprise U.S. Government customers should allow the following URLs:
 
    - `*.events.data.microsoft.com`
+      
    - `*.endpoint.security.microsoft.us (GCC-H & DoD)`
+      
    - `*.gccmod.ecs.office.com (GCC-M)`
+      
    - `*.config.ecs.gov.teams.microsoft.us (GCC-H)`
+      
    - `*.config.ecs.dod.teams.microsoft.us (DoD)`
 
-5. If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist. 
+1. If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist. 
 
-6. Consumers don't need to take any actions to prepare.
+1. Consumers don't need to take any actions to prepare.
 
 ## Microsoft Defender Antivirus processes and services
 
@@ -191,7 +204,8 @@ On the script page of the Run Script wizard, choose your script from the list (M
 #### Use the Registry to update the policies for Microsoft Defender Core service.
 
 1. Select **Start**, and then open Regedit.exe as an administrator.
-2. Go to `HKLM\Software\Policies\Microsoft\Windows Defender\Features`
+1. Go to `HKLM\Software\Policies\Microsoft\Windows Defender\Features`
+
 3. Set the values:
 
    `DisableCoreService1DSTelemetry` (dword) 0 (hex)  

defender-endpoint/microsoft-defender-passive-mode.md

@@ -0,0 +1,114 @@
+---
+title: Defender for Endpoint with Defender Antivirus in passive mode
+ms.topic: conceptual
+description: Understand how Defender Antivirus in passive mode works and when to use it.
+ms.service: defender-endpoint
+author: KesemSharabi
+ms.author: kesharab
+ms.localizationpriority: high
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- mde-ngp
+ms.subservice: ngp
+search.appverid: met150
+ms.date: 03/26/2025
+---
+
+# Defender Antivirus in passive mode
+
+[!INCLUDE [side-by-side-scenarios](includes/side-by-side-scenarios.md)]
+
+Microsoft Defender for Endpoint is a comprehensive security solution designed to protect your devices from evolving threats. One of its key features enables Microsoft Defender Antivirus to coexist with non-Microsoft antimalware solutions while still providing valuable endpoint detection and response capabilities.
+
+Some of the key benefits of Defender Antivirus in passive mode are:
+
+* **EDR Block mode** - Post-breach protection by detecting and remediating threats missed by the active antimalware solution
+
+* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
+
+* **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats.
+
+* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
+
+For more information, see [How Microsoft Defender Antivirus affects Defender for Endpoint functionality](microsoft-defender-antivirus-compatibility.md#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality).
+
+>[!NOTE]
+>Passive mode disables Microsoft Defender Antivirus scheduled scans unless specific configurations are applied.
+
+## Prerequisites
+
+* Operating system
+    * Windows 10 or newer
+    * Windows Server 2012 R2 or newer
+
+* The device must be onboarded to Microsoft Defender for Endpoint
+
+* Microsoft Defender Antivirus has to be installed and enabled
+
+## Configure passive mode
+
+On Windows 10 or newer, Defender Antivirus automatically enters passive mode when a non-Microsoft antimalware solution is installed and registered.
+
+For Windows Server operating systems, follow the instructions in this section to configure passive mode for Microsoft Defender for Endpoint.
+
+### Set the registry key
+
+To avoid conflicts between Microsoft Defender Antivirus and a third-party antivirus solution, if you're using Windows Server, set the following registry key before onboarding the device to Microsoft Defender for Endpoint:
+
+* **Path** - HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+
+* **Name** - ForceDefenderPassiveMode
+
+* **Type** - REG_DWORD
+
+* **Value** - 1
+
+### Enable EDR in block mode
+
+When Microsoft Defender Antivirus is in passive mode, EDR in block mode can provide post-breach protection by detecting and remediating threats. Ensure this feature is enabled in Defender for Endpoint.
+
+### Avoid service modifications
+
+Don't disable, stop, or modify associated services such as `wscsvc`, `WinDefend`, or `MsMpEng`. Stopping these services can cause instability and make your device vulnerable to threats.
+
+### Exclude Defender binaries in third-party antivirus
+
+To prevent performance issues or conflicts, add Microsoft Defender Antivirus and Defender for Endpoint binaries to the exclusion list of your third-party antivirus solution.
+
+## Verify that passive mode is enabled
+
+This section describes how to confirm whether Microsoft Defender Antivirus is in passive mode.
+
+### Windows PowerShell
+
+Run the following PowerShell cmdlet:
+
+```powershell
+Get-MpComputerStatus | select AMRunningMode
+```
+
+The `AMRunningMode` value indicates the current Defender Antivirus state:
+
+* **Normal** - Active mode
+
+* **Passive** - Passive mode
+
+* **EDR Block Mode** - EDR is operating in block mode
+
+### Windows security app
+
+Follow these steps to verify that Microsoft Defender Antivirus is in passive mode (Windows 10 and later only).
+
+1. Open the Windows Security app.
+
+2. Select **Virus & threat protection**.
+
+3. Under **Who’s protecting me?**, select **Manage providers**.
+
+4. On the *Security providers* page, verify the antivirus provider and state.
+
+## Additional resources
+
+[Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md)

defender-endpoint/overview-attack-surface-reduction.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 06/04/2024
+ms.date: 07/30/2025
 search.appverid: met150
 ---
 
@@ -38,8 +38,6 @@ search.appverid: met150
 
 Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces. Watch the following video to learn more about attack surface reduction.
 
-> [!VIDEO https://learn-video.azurefd.net/vod/player?id=06675c1f-cd4d-4c79-96f5-f695aee327e5]
-
 ## Configure attack surface reduction capabilities
 
 To configure attack surface reduction in your environment, follow these steps:

defender-office-365/TOC.yml

@@ -253,6 +253,8 @@
              href: tenant-allow-block-list-urls-configure.md
            - name: Allow or block IPv6 addresses using the Tenant Allow/Block List
              href: tenant-allow-block-list-ip-addresses-configure.md
+           - name: Block domains in Microsoft Teams using the Tenant Allow/Block List
+             href: tenant-allow-block-list-teams-domains-configure.md
          - name: Admin submissions
            href: submissions-admin.md
          - name: Create block sender lists

defender-office-365/attack-simulation-training-insights.md

@@ -226,9 +226,9 @@ The details table below the chart shows the following information. You can sort
 - **Email address**: Email address of the user.
 - **Latest repeat count**: Latest count of compromises for users categorized as repeat offenders. For example, if the repeat offender threshold is set to 3, and a user was compromised in 3 consecutive simulations, then the latest repeat count is 3. If the user was compromised in 4 consecutive simulations, then the latest repeat count is 4. If the user was compromised in 2 consecutive simulations, then the value N/A. The latest repeat count sets to 0 (N/A), every time a repeat offender flag is reset (meaning the user passes a simulation).
 - **Repeat offences**: Includes the number of times a user was classified as a repeat offender. For example:
-  -   The user was classified as a repeat offender in first few simulations (they were compromised 3 consecutive times, where repeat offender threshold is 2).
-  -   The user was classified as 'clean' after passing a simulation.
-  -   The user was classified as a repeat offender in the next few simulations (they were compromised 4 consecutive times, where repeat offender threshold is 2).
+  - The user was classified as a repeat offender in first few simulations (they were compromised 3 consecutive times, where repeat offender threshold is 2).
+  - The user was classified as 'clean' after passing a simulation.
+  - The user was classified as a repeat offender in the next few simulations (they were compromised 4 consecutive times, where repeat offender threshold is 2).
 
   In these cases, the number of repeat offences is set to 2. The count updates every time a user is considered a repeat offender.
 

defender-office-365/mdo-support-teams-about.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365 Plan 2.
 ms.service: defender-office-365
-ms.date: 07/24/2025
+ms.date: 07/28/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -30,7 +30,7 @@ appliesto:
 With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using chat messages has also increased. Microsoft Defender for Office 365 already provides the following Teams protection features:
 
 - Time of click protection for URLs and files in Teams messages through [Safe Links for Microsoft Teams](safe-links-about.md#safe-links-settings-for-microsoft-teams) and [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
-- Allow/block [URLs](tenant-allow-block-list-urls-configure.md) and [files](tenant-allow-block-list-files-configure.md) inside Teams using Tenant Allow Block Lists.
+- Allow/block [domains](tenant-allow-block-list-teams-domains-configure.md), [URLs](tenant-allow-block-list-urls-configure.md) and [files](tenant-allow-block-list-files-configure.md) inside Teams using the Tenant Allow Block List.
 
 In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams protection with a set of capabilities that are designed to disrupt the attack chain:
 

defender-office-365/mdo-support-teams-sec-ops-guide.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: A prescriptive playbook for SecOps personnel to manage Microsoft Teams protection in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 04/22/2025
+ms.date: 07/28/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -59,7 +59,7 @@ SecOps team members can also use block entries in the Tenant Allow/Block List to
 SecOps team members can use threat hunting or information from external threat intelligence feeds to proactively respond to false negative Teams messages (bad messages allowed). They can use the information to proactively block threats. For example:
 
 - [Create URL block entries](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) in the Tenant Allow/Block List in Defender for Office 365. Block entries apply at time of click for URLs in Teams.  
-- [Block domains in Teams using the Teams admin center](/microsoftteams/trusted-organizations-external-meetings-chat#specify-trusted-microsoft-365-organizations).
+- [Block domains in Teams using the Tenant Allow/Block List](tenant-allow-block-list-teams-domains-configure.md).
 - Submit undetected URLs to Microsoft using [admin submission](submissions-admin.md#report-questionable-urls-to-microsoft).
 
 > [!TIP]