Merge pull request #4916 from MicrosoftDocs/main

[AutoPublish] main to live - 09/03 04:27 PDT | 09/03 16:57 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/android-whatsnew.md

@@ -2,10 +2,10 @@
 title: What's new in Microsoft Defender for Endpoint on Android
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Android.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
-manager: deniseb
+manager: bagol
 ms.reviewer: denishdonga
 audience: ITPro
 ms.collection:

defender-endpoint/ios-whatsnew.md

@@ -2,12 +2,12 @@
 title: What's new in Microsoft Defender for Endpoint on iOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
 ms.date: 08/12/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection: 
 - m365-security

defender-endpoint/linux-whatsnew.md

@@ -2,12 +2,12 @@
 title: What's new in Microsoft Defender for Endpoint on Linux
 description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
 ms.date: 08/19/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security

defender-endpoint/mac-whatsnew.md

@@ -2,9 +2,9 @@
 title: What's new in Microsoft Defender for Endpoint on macOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on macOS.
 ms.service: defender-endpoint
-author: paulinbar
-ms.author: painbar
-manager: orspodek
+author: lwainstein
+ms.author: lwainstein
+manager: bagol
 ms.localizationpriority: medium
 ms.date: 08/20/2025
 audience: ITPro

defender-endpoint/machines-view-overview.md

@@ -288,6 +288,9 @@ You can sort the entries by clicking on an available column header. Select :::im
 > - Narrow the width of appropriate columns.
 > - Zoom out in your web browser.
 
+> [!TIP]
+> The API, UI, export, and AH interfaces all draw from a single authoritative data source. However, because each is powered by separate backend systems with different update frequencies, slight variations may appear across views—especially in short-term queries or recently reactivated devices. Each interface is optimized for its specific use case: export for large data retrieval, UI for fast interactive tasks like tag management, and AH for tracking device update history over time.
+
 ## Related articles
 
 [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md).

defender-endpoint/mde-demonstration-amsi.md

@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 ms.topic: how-to
-ms.date: 08/19/2025
+ms.date: 09/01/2025
 search.appverid: met150
 ms.custom: 
 - partner-contribution
@@ -52,17 +52,34 @@ In this demonstration article, you have two engine choices to test AMSI:
    ```powershell
    $testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
    Invoke-Expression $testString
-   ```
+   ```powershell
    
-2. On your device, open PowerShell as an administrator.
+1. On your device, open PowerShell as an administrator.
 
-3. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
+1. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
 
    The result should be as follows:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-powershell-results.png" alt-text="Screenshot showing the results of the AMSI test sample. It should show a threat was detected." lightbox="media/mde-demonstrations-amsi/test-amsi-powershell-results.png":::
+    ```powershell
+       Invoke-Expression : At line:1 char:1
+
+       + AMSI Test Sample: 7e72c3ce-861b-4339-8740-8ac1484c1386
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       This script contains malicious content and has been blocked by your antivirus software.
+
+       At C:\Users\Admin\Desktop\AMSI_PoSh_script.ps1:3 char:1
+
+       + Invoke-Expression $testString
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
+       
+       + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
+        ```
 
-   
 ### Testing AMSI with VBScript
 
 1. Save the following VBScript as `AMSI_vbscript.vbs`:
@@ -74,20 +91,63 @@ In this demonstration article, you have two engine choices to test AMSI:
    WScript.Echo result
    ```
 
-2. On your Windows Device, open Command Prompt as an administrator.
+1. On your Windows Device, open Command Prompt as an administrator.
 
 1. Type `wscript AMSI_vbscript.vbs`, and then press **Enter**.
 
    The result should be as follows:
 
-      :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
+    ```vbscript
+    Windows Script Host
+
+    Script: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+    Line: 3
+
+    Char: 1
+
+    Error: This script contains malicious content and has been blocked by your antivirus software.: 'eval'
 
+    Code: 800A802D
+
+    Source: Microsoft VBScript runtime error
+   ```
 
 ### Verifying the test results
 
 In your protection history, you should be able to see the following information:
 
-:::image type="content" source="media/mde-demonstrations-amsi/verifying-results.png" alt-text="Screenshot showing the AMSI test results. The information should show that a threat was blocked and cleaned." lightbox="media/mde-demonstrations-amsi/verifying-results.png":::
+```vbscript
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files.
+
+Affected items:
+
+amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
+
+or
+
+amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+and/or you might see:
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files
+```
 
 ### Get the list of Microsoft Defender Antivirus threats
 
@@ -101,17 +161,68 @@ You can view detected threats by using the Event log or PowerShell.
 
 3. Look for `event ID 1116`. You should see the following information:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/eventid1116.png" alt-text="Screenshot showing Event ID 1116, which says malware or unwanted software was detected." lightbox="media/mde-demonstrations-amsi/eventid1116.png":::
+```powershell
+
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
+
+For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&t
+
+Name: Virus:Win32/MpTest!amsi
+
+ID: 2147694217
+
+Severity: Severe
+
+Category: Virus
+
+Path: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Users\Admin\Desktop\AMSI_jscri
+
+Detection Origin: Local machine or Unknown
+
+Detection Type: Concrete
+
+Detection Source: System
+
+User: NT AUTHORITY\SYSTEM
 
-##### Use PowerShell
+Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\Sy
+
+Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0
+
+Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
+```
+
+#### Use PowerShell 
 
 1. On your device, open PowerShell.
 
-2. Type the following command: `Get-MpThreat`.
+1. Type the following command: `Get-MpThreat`.
 
    You might see the following results:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/get-mpthreat-results.png" alt-text="Screenshot showing the results of the Get-MpThreat command. It should show that an AMSI threat was detected." lightbox="media/mde-demonstrations-amsi/get-mpthreat-results.png":::
+    ```powershell
+    CategoryID     : 42
+
+    DidThreatExecute : True
+
+    IsActive       : True
+
+    Resources      :
+
+    RollupStatus   : 97
+
+    SchemaVersion  : 1.0.0.0
+
+    SeverityID     : 5
+
+    ThreatID       : 2147694217
+
+    ThreatName     : Virus:Win32/MpTest!amsi
+
+    TypeID         : 0
+
+    PSComputerName :
+    ```
 
 
 ## See also

defender-endpoint/troubleshoot-security-config-mgt.md

@@ -72,7 +72,7 @@ The following table lists errors and directions on what to try/check in order to
 |`40`|Clock sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs.|
 |`43`|MDE and ConfigMgr|The device is managed using Configuration Manager and Microsoft Defender for Endpoint. Controlling policies through both channels may cause conflicts and undesired results. To avoid this, endpoint security policies should be isolated to a single control plane. |
 |`2`|Device is not enrolled and has never been enrolled|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is not enrolled to be managed by Defender for Endpoint. For more information, see [Configure Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration?pivots=mdssc-preview). |
-|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn of the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [Defender for Endpoint integration with Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
+|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn off the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [Defender for Endpoint integration with Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
 
 ## Related topic
 

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -8,7 +8,7 @@ author: limwainstein
 ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
 ms.date: 08/20/2025
-manager: orspodek
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security
@@ -44,7 +44,8 @@ Learn more:
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
-|[Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview)     |GA         |- Microsoft Defender Core service, now in GA, helps with the stability and performance of Microsoft Defender Antivirus.<br>- Support for Azure Stack HCI OS is rolling out across commercial and government clouds.|
+|Azure Stack HCI OS support (version 23H2 and later) |Preview |Added support for Azure Stack HCI OS, version 23H2 and later. Support for Azure Stack HCI OS is rolling out across commercial and government clouds. |
+|[Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) |GA |Microsoft Defender Core service, now in GA, helps with the stability and performance of Microsoft Defender Antivirus.|
 
 ## April 2025
 

defender-endpoint/whats-new-mde-archive.md

@@ -4,11 +4,11 @@ description: See what features were available for Microsoft Defender for Endpoin
 search.appverid: met150
 ms.service: defender-endpoint
 ms.subservice: reference
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
 ms.date: 04/04/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security

defender-endpoint/windows-whatsnew.md

@@ -3,11 +3,11 @@ title: What's new in Microsoft Defender for Endpoint on Windows
 description: Learn about the latest feature releases of Microsoft Defender for Endpoint on Windows Client and Server.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
 ms.date: 06/11/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection: 
 - m365-security