Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into yelevin/multi-tenant-case-mgmt

Author: yelevin

defender-endpoint/TOC.yml

@@ -5,31 +5,33 @@
   - name: Zero Trust with Defender for Endpoint
     href: zero-trust-with-microsoft-defender-endpoint.md
   - name: Overview
-    items: 
-    - name: Defender for Endpoint on Windows
-      href: microsoft-defender-endpoint.md
-    - name: Defender for Endpoint on macOS
-      href: microsoft-defender-endpoint-mac.md
-    - name: Defender for Endpoint on Linux
-      href: microsoft-defender-endpoint-linux.md
-    - name: Defender for Endpoint on Android
-      href: microsoft-defender-endpoint-android.md
-    - name: Defender for Endpoint on iOS
-      href: microsoft-defender-endpoint-ios.md
-    - name: Defender for Endpoint for US Government customers
-      href: gov.md
-    - name: Supported Defender for Endpoint capabilities by platform
-      href: supported-capabilities-by-platform.md
-    - name: Antivirus solution compatibility with Defender for Endpoint
-      href: defender-compatibility.md
-    - name: Defender for Endpoint Plan 1
-      items:
-      - name: Overview of Defender for Endpoint Plan 1
-        href: defender-endpoint-plan-1.md
-      - name: Setup and configuration
-        href: mde-p1-setup-configuration.md
-      - name: Get started
-        href: mde-plan1-getting-started.md
+    items:
+    - name: What is Microsoft Defender for Endpoint?
+      items: 
+      - name: Defender for Endpoint on Windows
+        href: microsoft-defender-endpoint.md
+      - name: Defender for Endpoint on macOS
+        href: microsoft-defender-endpoint-mac.md
+      - name: Defender for Endpoint on Linux
+        href: microsoft-defender-endpoint-linux.md
+      - name: Defender for Endpoint on Android
+        href: microsoft-defender-endpoint-android.md
+      - name: Defender for Endpoint on iOS
+        href: microsoft-defender-endpoint-ios.md
+      - name: Defender for Endpoint for US Government customers
+        href: gov.md
+      - name: Supported Defender for Endpoint capabilities by platform
+        href: supported-capabilities-by-platform.md
+      - name: Antivirus solution compatibility with Defender for Endpoint
+        href: defender-compatibility.md
+      - name: Defender for Endpoint Plan 1
+        items:
+        - name: Overview of Defender for Endpoint Plan 1
+          href: defender-endpoint-plan-1.md
+        - name: Setup and configuration
+          href: mde-p1-setup-configuration.md
+        - name: Get started
+          href: mde-plan1-getting-started.md
     - name: What's new in Defender for Endpoint
       href: whats-new-in-microsoft-defender-endpoint.md
       items: 
@@ -45,8 +47,6 @@
         href: ios-whatsnew.md
       - name: Previous Defender for Endpoint releases (archive)
         href: whats-new-mde-archive.md
-    - name: Minimum requirements
-      href: minimum-requirements.md
     - name: Trial user guide - Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
     - name: Pilot and deploy Defender for Endpoint
@@ -176,6 +176,8 @@
           items:
           - name: Deploy Defender for Endpoint on macOS
             items:
+            - name: Microsoft Defender for Endpoint Prerequisites on macOS
+              href: microsoft-defender-endpoint-mac-prerequisites.md
             - name: Deployment with Microsoft Intune
               href: mac-install-with-intune.md
             - name: JAMF Pro-based deployment

defender-endpoint/attack-surface-reduction.md

@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.subservice: asr
 ms.localizationpriority: medium
 audience: ITPro
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.reviewer: sugamar
 manager: deniseb
 ms.custom: admindeeplinkDEFENDER
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 03/28/2025
+ms.date: 05/09/2025
 ---
 
 # Attack surface reduction rules overview
@@ -98,7 +98,7 @@ Also, make sure [Microsoft Defender Antivirus and anti-malware updates](/windows
 - Minimum platform release requirement: `4.18.2008.9`
 - Minimum engine release requirement: `1.1.17400.5`
 
-For more information and to get your updates, see [Update for Microsoft Defender anti-malware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
+For more information and to get your updates, see [Update for Microsoft Defender anti-malware platform](/defender-endpoint/microsoft-defender-antivirus-updates).
 
 ### Cases where warn mode isn't supported
 
@@ -134,6 +134,8 @@ You can set attack surface reduction rules for devices that are running any of t
 
 - Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 11 Pro, version 21H2 or later
+- Windows 11 Enterprise, version 21H2 or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - Windows Server 2025
 - [Windows Server 2022](/windows-server/get-started/whats-new-in-windows-server-2022) 

defender-endpoint/behavioral-blocking-containment.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 03/29/2025
+ms.date: 04/25/2025
 ---
 
 # Behavioral blocking and containment

defender-endpoint/client-behavioral-blocking.md

@@ -17,7 +17,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 07/22/2024
+ms.date: 04/25/2025
 ---
 
 # Client behavioral blocking

defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
-title: Configure the Microsoft Defender Antivirus cloud block timeout period
-description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
+title: Configure the Microsoft Defender Antivirus cloud block time-out period
+description: You can configure how long Microsoft Defender Antivirus blocks a file from running while waiting for a cloud determination.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
 author: emmwalshh
@@ -18,7 +18,7 @@ ms.collection:
 search.appverid: met150
 ---
 
-# Configure the cloud block timeout period
+# Configure the cloud block time out period
 
 **Applies to:**
 - [Microsoft Defender XDR](/defender-xdr)
@@ -33,15 +33,15 @@ search.appverid: met150
 
 When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](cloud-protection-microsoft-defender-antivirus.md).
 
-The default period that the file is [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
+The default period that the file is [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block time out period can help ensure there's enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
 
-## Prerequisites to use the extended cloud block timeout
+## Prerequisites to use the extended cloud block time out
 
-[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
+[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended time out period.
 
-## Specify the extended timeout period using Microsoft Defender for Endpoint Security settings management
+## Specify the extended time out period using Microsoft Defender for Endpoint Security settings management
 
-To specify the cloud block timeout period with Microsoft Defender for Endpoint Security settings management:
+To specify the cloud block time out period with Microsoft Defender for Endpoint Security settings management:
 
 1. Go to the Microsoft Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 2. Select **Endpoints** > **Configuration management** > **Endpoint security policies**.
@@ -50,29 +50,29 @@ To specify the cloud block timeout period with Microsoft Defender for Endpoint S
 5. Under **Select Template** choose: "Microsoft Defender Antivirus".
 6. Select **Create policy**.
 7. Enter a name and description and select **Next**.
-8. From the **Defender** dropdown go to **Cloud Extended Timeout** and toggle it on.
+8. From the Defender dropdown, go to **Cloud Extended Timeout** and toggle it on.
 9. Specify the extended time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
 10. Select **Next** and **Save** to finish configuring your policy.
 
-## Specify the extended timeout period using Microsoft Intune
+## Specify the extended time out period using Microsoft Intune
 
-You can specify the cloud block timeout period with an [endpoint security policy in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).
+You can specify the cloud block time out period with an [endpoint security policy in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).
 
 1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) and sign in.
 
 2. Select **Endpoint security**, and then under **Manage**, choose **Antivirus**.
 
 3. Select (or create) an antivirus policy.
 
-4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the timeout, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
+4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the time out, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
 
 5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)
 
 6. Choose **Next**, and finish configuring your policy.
 
-## Specify the extended timeout period using Group Policy
+## Specify the extended time out period using Group Policy
 
-You can use Group Policy to specify an extended timeout for cloud checks.
+You can use Group Policy to specify an extended time out for cloud checks.
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11))
 

defender-endpoint/configure-device-connectivity.md

@@ -1,8 +1,8 @@
 ---
 title: Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
 description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint.         
-author: denisebmsft
-ms.author: deniseb 
+author: emmwalshh
+ms.author: ewalsh 
 manager: deniseb 
 ms.topic: how-to
 ms.service: defender-endpoint

defender-endpoint/configure-proxy-internet.md

@@ -3,8 +3,8 @@ title: Configure your devices to connect to the Defender for Endpoint service us
 description: Learn how to configure your devices to enable communication with the cloud service using a proxy.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -39,7 +39,7 @@ Depending on the operating system, the proxy to be used for Microsoft Defender f
 
 - For Windows devices, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) (in this article).
 - For Linux devices, see [Configure Microsoft Defender for Endpoint on Linux for static proxy discovery](linux-static-proxy-configuration.md).
-- For macOS devices, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md#network-connections).
+- For macOS devices, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac-prerequisites.md#network-connectivity).
 
 The Defender for Endpoint sensor requires Microsoft Windows HTTP (`WinHTTP`) to report sensor data and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor runs in system context using the `LocalSystem` account.
 

defender-endpoint/configure-updates.md

@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.subservice: onboard
 f1.keywords:
 - NOCSH
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro

defender-endpoint/enable-attack-surface-reduction.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-asr
 ms.custom: admindeeplinkDEFENDER
 search.appverid: met150
-ms.date: 04/30/2025
+ms.date: 05/08/2025
 ---
 
 # Enable attack surface reduction rules
@@ -102,7 +102,7 @@ When adding exclusions, keep these points in mind:
 
 If a conflicting policy is applied via MDM and GP, the setting applied from Group Policy takes precedence.
 
-Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conficts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
+Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
 
 Attack surface reduction rule merge behavior works as follows:
 
@@ -139,6 +139,7 @@ The following procedures for enabling attack surface reduction rules include ins
 > If you're using Intune on Windows Server 2012 R2 and Windows Server 2016 with the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), you need to set the following attack surface reduction rules to `Not Configured` because they're not supported on these OS versions. Otherwise, these policies fail to apply:
 > - [Block persistence through Windows Management Instrumentation (WMI) event subscription](/defender-endpoint/attack-surface-reduction-rules-reference#block-persistence-through-wmi-event-subscription)
 > - [Block JavaScript or VBScript from launching downloaded executable content](/defender-endpoint/attack-surface-reduction-rules-reference#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+> - [Block Win32 API calls from Office macro](/defender-endpoint/attack-surface-reduction-rules-reference#block-win32-api-calls-from-office-macros)
 
 #### Endpoint security policy (Preferred)
 

defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -4,8 +4,8 @@ description: Turn on cloud protection to benefit from fast and advanced protecti
 ms.service: defender-endpoint
 ms.localizationpriority: medium
 ms.topic: how-to
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.date: 11/10/2024
 ms.reviewer: pahuijbr
 manager: deniseb
@@ -59,10 +59,15 @@ The following table summarizes the features and capabilities that depend on clou
 
 You can turn Microsoft Defender Antivirus cloud protection on or off by using one of several methods, such as:
 
-- [Microsoft Intune](#use-microsoft-intune-to-turn-on-cloud-protection)  
-- [Group Policy](#use-group-policy-to-turn-on-cloud-protection)
-- [PowerShell cmdlets](#use-powershell-cmdlets-to-turn-on-cloud-protection)
-- [Windows Management Instruction](#use-windows-management-instruction-wmi-to-turn-on-cloud-protection) (WMI)
+- [Turn on cloud protection in Microsoft Defender Antivirus](#turn-on-cloud-protection-in-microsoft-defender-antivirus)
+  - [Why cloud protection should be turned on](#why-cloud-protection-should-be-turned-on)
+  - [Methods to configure cloud protection](#methods-to-configure-cloud-protection)
+  - [Use Microsoft Intune to turn on cloud protection](#use-microsoft-intune-to-turn-on-cloud-protection)
+  - [Use Group Policy to turn on cloud protection](#use-group-policy-to-turn-on-cloud-protection)
+  - [Use PowerShell cmdlets to turn on cloud protection](#use-powershell-cmdlets-to-turn-on-cloud-protection)
+  - [Use Windows Management Instruction (WMI) to turn on cloud protection](#use-windows-management-instruction-wmi-to-turn-on-cloud-protection)
+  - [Turn on cloud protection on individual clients with the Windows Security app](#turn-on-cloud-protection-on-individual-clients-with-the-windows-security-app)
+  - [See also](#see-also)
 
 You can also use [Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). And, you can turn cloud protection on or off on individual endpoints by using the [Windows Security app](#turn-on-cloud-protection-on-individual-clients-with-the-windows-security-app).