Merge branch 'main' into batamig-patch-3

Author: batamig

defender-endpoint/api/device-health-api-methods-properties.md

@@ -48,7 +48,7 @@ Retrieves a list of Microsoft Defender Antivirus device health details. This API
 Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.
 
 > [!IMPORTANT]
-> For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](../configure-server-endpoints.md#windows-server-2016-functionality-in-the-modern-unified-solution).
+> For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](../configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 >
 > For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus report in Microsoft Defender for Endpoint](../device-health-reports.md).
 

defender-endpoint/api/device-health-export-antivirus-health-report-api.md

@@ -54,7 +54,7 @@ Data that is collected using either '_JSON response_ or _via files_' is the curr
 
 > [!IMPORTANT]
 >
-> For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](../configure-server-endpoints.md#windows-server-2016-functionality-in-the-modern-unified-solution).
+> For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](../configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 
 > [!NOTE]
 >

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -113,7 +113,7 @@ The following table lists the supported operating systems for rules that are cur
 >
 > Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the minimum Windows Server build is version 1809 or later.
 >
-> Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#windows-server-2016-functionality-in-the-modern-unified-solution).
+> Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 
 | Rule name| Windows&nbsp;11 <br>and<br> Windows&nbsp;10 | Windows&nbsp;Server <br> 2022 <br>and<br>  Windows&nbsp;Server <br> 2019 | Windows Server | Windows&nbsp;Server <br> 2016 <sup>[[1, 2](#fn1)]</sup> | Windows&nbsp;Server <br> 2012&nbsp;R2 <sup>[[1, 2](#fn1)]</sup> |
 |:---|:---:|:---:|:---:|:---:|:---:|

defender-endpoint/attack-surface-reduction-rules-report.md

@@ -56,7 +56,7 @@ For more information about individual attack surface reduction rules, see [Attac
 
 > [!IMPORTANT]
 > To access the **Attack surface reduction rules report**, read permissions are required for the Microsoft Defender portal. Access to this report granted by Microsoft Entra roles, such as Security Global Admin or Security role, is being deprecated and will be removed in April 2023.
-> For Windows Server 2012 R2 and Windows Server 2016 to appear in the **Attack surface reduction rules report**, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](configure-server-endpoints.md#windows-server-2016-functionality-in-the-modern-unified-solution).
+> For Windows Server 2012 R2 and Windows Server 2016 to appear in the **Attack surface reduction rules report**, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 
 ## Report access permissions
 

defender-endpoint/attack-surface-reduction.md

@@ -141,7 +141,7 @@ You can set attack surface reduction rules for devices that are running any of t
 - [Windows Server 2012 R2](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh801901(v=ws.11))
 
   > [!NOTE]
-  > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016) for this feature to work.
+  > Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work.
 
 Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. The advanced capabilities - available only in Windows E5 - include:
 

defender-endpoint/automated-investigations.md

@@ -92,7 +92,7 @@ Currently, AIR only supports the following OS versions:
 - Windows 11
 
 > [!NOTE]
-> Automated investigation and response on Windows Server 2012 R2 and Windows Server 2016 requires the [Unified Agent](configure-server-endpoints.md#windows-server-2016-functionality-in-the-modern-unified-solution) to be installed. 
+> Automated investigation and response on Windows Server 2012 R2 and Windows Server 2016 requires the [Unified Agent](configure-server-endpoints.md#functionality-in-the-modern-unified-solution) to be installed. 
 
 ## Next steps
 

defender-endpoint/behavior-monitor-macos.md

@@ -71,71 +71,71 @@ The following sections describe each of these methods in detail.
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-<dict>
-        <key>PayloadUUID</key>
-        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-        <key>PayloadType</key>
-        <string>Configuration</string>
-        <key>PayloadOrganization</key>
-        <string>Microsoft</string>
-        <key>PayloadIdentifier</key>
-        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-        <key>PayloadDisplayName</key>
-        <string>Microsoft Defender for Endpoint settings</string>
-        <key>PayloadDescription</key>
-        <string>Microsoft Defender for Endpoint configuration settings</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-        <key>PayloadRemovalDisallowed</key>
-        <true/>
-        <key>PayloadScope</key>
-        <string>System</string>
-        <key>PayloadContent</key>
-        <array>
-            <dict>
-                <key>PayloadUUID</key>
-                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                <key>PayloadType</key>
-                <string>com.microsoft.wdav</string>
-                <key>PayloadOrganization</key>
-                <string>Microsoft</string>
-                <key>PayloadIdentifier</key>
-                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                <key>PayloadDisplayName</key>
-                <string>Microsoft Defender for Endpoint configuration settings</string>
-                <key>PayloadDescription</key>
-                <string/>
-                <key>PayloadVersion</key>
-                <integer>1</integer>
-                <key>PayloadEnabled</key>
-                <true/>
-              <key>antivirusEngine</key>
-              <dict>
-                            <key>behaviorMonitoring</key>
-                           <string>enabled</string>
-              </dict>
-              <key>features</key>
-              <dict>
-                            <key>behaviorMonitoring</key>
-                           <string>enabled</string>
-              <key>behaviorMonitoringConfigurations</key>
-                           <dict>
-                                 <key>blockExecution</key>
-                                 <string>enabled</string>
-                                 <key>notifyForks</key>
-                                 <string>enabled</string>
-                                 <key>forwardRtpToBm</key>
-                                 <string>enabled</string>
-                                 <key>avoidOpenCache</key>
-                                 <string>enabled</string>
-                           </dict>
-              </dict>
-</dict>
+    <dict>
+        <key>PayloadUUID</key>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadOrganization</key>
+        <string>Microsoft</string>
+        <key>PayloadIdentifier</key>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+        <key>PayloadDisplayName</key>
+        <string>Microsoft Defender for Endpoint settings</string>
+        <key>PayloadDescription</key>
+        <string>Microsoft Defender for Endpoint configuration settings</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+        <key>PayloadRemovalDisallowed</key>
+        <true/>
+        <key>PayloadScope</key>
+        <string>System</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                <key>PayloadType</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft</string>
+                <key>PayloadIdentifier</key>
+                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                <key>PayloadDisplayName</key>
+                <string>Microsoft Defender for Endpoint configuration settings</string>
+                <key>PayloadDescription</key>
+                <string/>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>antivirusEngine</key>
+                <dict>
+                <key>behaviorMonitoring</key>
+                <string>enabled</string>
+                </dict>
+                <key>features</key>
+                <dict>
+                <key>behaviorMonitoring</key>
+                <string>enabled</string>
+                <key>behaviorMonitoringConfigurations</key>
+                <dict>
+                <key>blockExecution</key>
+                <string>enabled</string>
+                <key>notifyForks</key>
+                <string>enabled</string>
+                <key>forwardRtpToBm</key>
+                <string>enabled</string>
+                <key>avoidOpenCache</key>
+                <string>enabled</string>
+                                 </dict>
+                    </dict>
+            </dict>
+        </array>
+    </dict>
 </plist>
-</array>
-</dict>
 ```
 
 2. Open **Devices** > **Configuration profiles**. 
@@ -154,29 +154,29 @@ The following sections describe each of these methods in detail.
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
 <plist version="1.0">
-<dict>
-              <key>antivirusEngine</key>
-              <dict>
-                            <key>behaviorMonitoring</key>  
-                           <string>enabled</string> 
-              </dict>
-              <key>features</key>
-              <dict>
-                            <key>behaviorMonitoring</key>
-                           <string>enabled</string>
-              <key>behaviorMonitoringConfigurations</key>
-                           <dict>
-                                 <key>blockExecution</key>
-                                         <string>enabled</string>
-                                 <key>notifyForks</key>
-                                         <string>enabled</string>
-                                 <key>forwardRtpToBm</key>
-                                         <string>enabled</string>
-                                 <key>avoidOpenCache</key>
-                                         <string>enabled</string>
-                           </dict>
-              </dict>
-</dict>
+    <dict>
+        <key>antivirusEngine</key>
+            <dict>
+                <key>behaviorMonitoring</key>  
+                <string>enabled</string> 
+            </dict>
+                <key>features</key>
+                     <dict>
+                         <key>behaviorMonitoring</key>
+                         string>enabled</string>
+                         <key>behaviorMonitoringConfigurations</key>
+                             <dict>
+                                 <key>blockExecution</key>
+                                 <string>enabled</string>
+                                 <key>notifyForks</key>
+                                 <string>enabled</string>
+                                 <key>forwardRtpToBm</key>
+                                 <string>enabled</string>
+                                 <key>avoidOpenCache</key>
+                                 <string>enabled</string>
+                             </dict>
+                     </dict>
+    </dict>
 </plist>
 ```
 
@@ -215,9 +215,6 @@ For more information on how to test for a behavior monitoring (prevention/block)
 
 ### Frequently Asked Questions (FAQ):
 
-#### Do Behavior Monitoring protection alerts show up in the Device timeline and/or Advanced Hunting?
-Not at this time, it's in telemetry mode.
-
 #### What if I see an increase in cpu utilization or memory utilization?
 Disable Behavior Monitoring and see if the issue goes away.
 - If the issue doesn't go away, it is not related to Behavior Monitoring.

defender-endpoint/configure-endpoints-vdi.md

@@ -70,7 +70,7 @@ The following steps guide you through onboarding VDI devices and highlight steps
 ### Onboarding steps
 
 > [!NOTE]
-> Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying the installation package first using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016) for this feature to work.
+> Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying the installation package first using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work.
 
 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>: