Merge pull request #3640 from MicrosoftDocs/main

aditisrivastava07 · web-flow · commit 20d4014c2c2d · 2025-05-02T11:10:10.000+05:30
[AutoPublish] main to live - 05/01 22:32 PDT | 05/02 11:02 IST
diff --git a/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md b/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -6,7 +6,7 @@ description: Windows Server includes automatic exclusions, based on server role.
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 03/28/2025
+ms.date: 05/01/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.topic: conceptual
@@ -30,21 +30,17 @@ search.appverid: met150
 
 - Windows Server
 
+## Important notes about automatic exclusions on Windows Server
 
-> [!IMPORTANT]
-> ## Important notes about automatic exclusions on Windows Server
->
-> - [Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) take precedence over automatic exclusions. When a custom exclusion is set for a path that also has a duplicate automatic or built-in exclusion, the custom exclusion will always apply.
-> - Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning. Other scan activity, for example [Network Inspection](network-protection.md) and [Behavior Monitoring](behavior-monitor.md), will not be excluded. To exclude other scan types, please use custom exclusions.
-> - Automatic exclusions aren't honored during a [quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). To exclude other scan types, please use custom exclusions.
-> - Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
-> - Appropriate exclusions must be set for software that isn't included with the operating system.
-> - The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in and automatic exclusions. 
+- [Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) take precedence over automatic exclusions. When a custom exclusion is set for a path that also has a duplicate automatic or built-in exclusion, the custom exclusion will always apply.
+- Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning. Other scan activity, for example [Network Inspection](network-protection.md) and [Behavior Monitoring](behavior-monitor.md), will not be excluded. To exclude other scan types, please use custom exclusions.
+- Automatic exclusions aren't honored during a [quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). To exclude other scan types, please use custom exclusions.
+- Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Appropriate exclusions must be set for software that isn't included with the operating system.
+- The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. 
 
-## Overview
-
-This article describes types of exclusions that you don't have to define for Microsoft Defender Antivirus: 
+This article describes the two main types of exclusions that you don't have to define for Microsoft Defender Antivirus: 
 
 - [Automatic exclusions](#automatic-server-role-exclusions) for roles on Windows Server 2016 and later. 
 - [Built-in exclusions](#built-in-exclusions) for operating system files on all versions of Windows. 
@@ -240,10 +236,9 @@ This section lists the folder exclusions that are delivered automatically when y
 
 ## Built-in exclusions
 
-> [!NOTE]
-> - Please see [Important Notes](#important-notes-about-automatic-exclusions-on-windows-server)
-> - Default locations could be different than the locations that are described in this article.
-> - The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in exclusions. 
+Make sure to review [Important notes about automatic exclusions](#important-notes-about-automatic-exclusions-on-windows-server) (in this article). Keep in mind that default locations could be different than the locations that are described in this article.
+
+The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in exclusions. 
 
 Because Microsoft Defender Antivirus is built into Windows, it doesn't require exclusions for operating system files on any version of Windows. 
 
@@ -396,9 +391,7 @@ If necessary, you can add or remove custom exclusions. To do that, see the follo
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
 - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-- [Configure Defender for Endpoint on Android features](android-configure.md)
-- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
+- [Onboard client devices running Windows or macOS to Microsoft Defender for Endpoint](onboard-client.md)
+- [Onboard servers through Microsoft Defender for Endpoint's onboarding experience](onboard-server.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-ngp
 search.appverid: met150
-ms.date: 04/01/2025
+ms.date: 05/01/2025
 ---
 
 # Detect and block potentially unwanted applications
@@ -193,7 +193,7 @@ get-mpPreference | ft PUAProtection
 | -------- | -------- |
 | `0` | PUA Protection off (Default).  Microsoft Defender Antivirus won't protect against potentially unwanted applications.  |
 | `1` | PUA Protection on. Detected items are blocked. They'll show in history along with other threats.|
-| `2` | Audit mode. Microsoft Defender Antivirus detects potentially unwanted applications but take no action. You can review information about the applications Windows Defender would've taken action against by searching for events created by Windows Defender in the Event Viewer.|
+| `2` | Audit mode. Microsoft Defender Antivirus detects potentially unwanted applications but takes no action. You can review information about the applications Microsoft Defender Antivirus would've taken action against by searching for events created by Microsoft Defender Antivirus in the Event Viewer, but not in the [Microsoft Defender portal](https://security.microsoft.com).|
 
 For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/index).
 
diff --git a/defender-endpoint/edr-detection.md b/defender-endpoint/edr-detection.md
@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 04/30/2025
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -32,13 +32,11 @@ ms.date: 03/04/2025
 - Linux servers must be running a supported version (see [Prerequisites for Microsoft Defender for Endpoint on Linux](mde-linux-prerequisites.md))
 - Devices must be onboarded to Defender for Endpoint
 
-Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
-
-Run an EDR detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. You can run an EDR detection test to verify that the device is properly onboarded and reporting to the service. This article describes how to run an EDR detection test on a newly onboarded device.
 
 ### Windows
 
-1. Open a Command Prompt window
+1. Open a Command Prompt window.
 
 2. At the prompt, copy and run the following command. The Command Prompt window closes automatically.
 
@@ -50,35 +48,35 @@ Run an EDR detection test to verify that the device is properly onboarded and re
 
 ### Linux
 
-1. Download [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server 
-
+1. Download [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server. 
 
-```bash
-curl -o ~/Downloads/MDE-Linux-EDR-DIY.zip -L https://aka.ms/MDE-Linux-EDR-DIY
-```
+   ```bash
+   curl -o ~/Downloads/MDE-Linux-EDR-DIY.zip -L https://aka.ms/MDE-Linux-EDR-DIY
+   ```
 
-2. Extract the zip 
+2. Extract the zipped folder. 
 
-```bash
-unzip ~/Downloads/MDE-Linux-EDR-DIY.zip
-```
+   ```bash
+   unzip ~/Downloads/MDE-Linux-EDR-DIY.zip
+   ```
 
-3. And run the following command to give the script executable permission: 
+3. Run the following command to give the script executable permission: 
 
-```bash
-chmod +x ./mde_linux_edr_diy.sh
-```
+   ```bash
+   chmod +x ./mde_linux_edr_diy.sh
+   ```
 
 4. Run the following command to execute the script:
-```bash
- ./mde_linux_edr_diy.sh
-```
 
-5. After a few minutes, a detection should be raised in Microsoft Defender XDR. Look at the alert details, machine timeline, and perform your typical investigation steps.
+   ```bash
+   ./mde_linux_edr_diy.sh
+   ```
+
+   After a few minutes, a detection should be raised in the [Microsoft Defender portal](https://security.microsoft.com). Look at the alert details, machine timeline, and perform your typical investigation steps.
  
 ### macOS
 
-1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
+1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract the zipped folder.
 
       The following prompt appears:
 
@@ -94,11 +92,11 @@ chmod +x ./mde_linux_edr_diy.sh
    > [!TIP]
    > If you double-click **MDATP MacOS DIY**, you will get the following message:
    >
-   > > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verifier.**<br/>
+   > > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verified.**<br/>
    > > macOS cannot verify that this app is free from malware.<br/>
-   > > **[Move to Trash]** **[Cancel]**
+   > > **[Move to Trash]** **[Done]**
 
-7. Click **Cancel**.
+7. Click **Done**.
 
 8. Right-click **MDATP MacOS DIY**, and then click **Open**.
 
@@ -124,9 +122,7 @@ chmod +x ./mde_linux_edr_diy.sh
 
     :::image type="content" source="media/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Screenshot that shows a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions":::
 
-    The macOS EDR test alert shows severity, category, detection source, and a collapsed menu of actions.
-
-    Look at the alert details and the device timeline, and perform the regular investigation steps.
+    The macOS EDR test alert shows severity, category, detection source, and a collapsed menu of actions. Look at the alert details and the device timeline, and perform the regular investigation steps.
 
 
 ## Next steps
diff --git a/defender-endpoint/enable-update-mdav-to-latest-ws.md b/defender-endpoint/enable-update-mdav-to-latest-ws.md
@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: yongrhee
 ms.localizationpriority: high
-ms.date: 03/14/2025
+ms.date: 05/01/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -27,14 +27,22 @@ search.appverid: met150
 - Microsoft Defender for Servers Plan 1 or Plan 2
 - Microsoft Defender Antivirus
 
-If you wish to use Microsoft Defender Antivirus on your Windows Server, and it had been previously disabled or uninstalled, you may need to take further steps to re-enable it and ensure it's fully updated.
+This article describes how to enable and update Microsoft Defender Antivirus on Windows Server. You'd use the procedures in this article if Microsoft Defender Antivirus was previously disabled or uninstalled.
 
-To enable and update Microsoft Defender Antivirus on Windows Server, perform the following steps:
+## Enable and update Microsoft Defender Antivirus on Windows Server
+
+
+1. Install the latest [servicing stack updates](/windows/deployment/update/servicing-stack-updates).
+
+2. Install the latest [cumulative update](/windows/deployment/update/catalog-checkpoint-cumulative-updates).
+
+3. Reinstall Microsoft Defender Antivirus or re-enable it. See the following sections (in this article):
+
+   - [Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled)
+   - [Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled)
 
-1. Install the latest Servicing Stack Update (SSU).
-2. Install the latest cumulative update (LCU).
-3. Reinstall Microsoft Defender Antivirus or re-enable it. For more information on how to reinstall or re-enable Microsoft Defender Antivirus on Windows Server, see [Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled) and [Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled).
 4. Reboot the system.
+
 5. Install the latest version of the platform update.
 
    > [!NOTE]
@@ -53,8 +61,11 @@ On Windows Server 2016, in some cases, you may need to use the [Malware Protecti
 As a local administrator on the server, perform the following steps:
 
 1. Open Command Prompt.
-2. Run the following command:
-   `%ProgramFiles%\Windows Defender\MpCmdRun.exe -wdenable`.
+
+2. Run the following command: 
+
+   `%ProgramFiles%\Windows Defender\MpCmdRun.exe -wdenable`
+
 3. Restart the device.
 
 ## Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled
@@ -92,4 +103,5 @@ As a local administrator on the server, perform the following steps:
 ## Related articles
 
 [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md b/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md
@@ -1,5 +1,5 @@
 ---
-title: UEFI scanning in Defender for Endpoint
+title: Firmware (UEFI) scanning in Defender for Endpoint
 description: Learn how Microsoft Defender for Endpoint is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.
 author: emmwalshh
 ms.author: ewalsh
@@ -12,12 +12,12 @@ ms.subservice: ngp
 ms.localizationpriority: medium
 ms.custom:
 - admindeeplinkDEFENDER
- - partner-contribution
+- partner-contribution
 ms.collection: 
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 03/26/2025
+ms.date: 05/01/2025
 ---
 
 # UEFI scanning in Defender for Endpoint
