acrolinx fixes

Author: diannegali

defender-vulnerability-management/windows-authenticated-scan.md

@@ -27,10 +27,10 @@ ms.collection:
 > [!IMPORTANT]
 > This feature will be deprecated by the end of November 2025 and will not be supported beyond that date. More information about this change are in the [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs).
 
-Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities. By default, the scan will run every four hours with options to change this interval or have it only run once.
+Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured, the targeted unmanaged devices are scanned regularly for software vulnerabilities. By default, the scan runs every four hours with options to change this interval or have it only run once.
 
 > [!NOTE]
-> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+> To use this feature, Microsoft Defender Vulnerability Management Standalone is required. If you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on is required.
 
 Security administrators can then see the latest security recommendations and review recently discovered vulnerabilities for the targeted device in the [Microsoft Defender portal](https://security.microsoft.com).
 
@@ -39,18 +39,18 @@ Security administrators can then see the latest security recommendations and rev
 
 ## Scanner Installation
 
-Similar to [network device](/defender-endpoint/network-devices) authenticated scan, you'll need a scanning device with the scanner installed. If you don't already have the scanner installed, see [Install the scanner](/defender-endpoint/network-devices#install-the-scanner) for steps on how to download and install it.
+Similar to [network device](/defender-endpoint/network-devices) authenticated scan, you need a scanning device with the scanner installed. If you don't already have the scanner installed, see [Install the scanner](/defender-endpoint/network-devices#install-the-scanner) for steps on how to download and install it.
 
 > [!NOTE]
 > No changes are required for pre-existing installed scanners.
 
 ## Prerequisites
 
-The following section lists the pre-requisites you need to configure to use Authenticated scan for Windows.
+The following section lists the prerequisites you need to configure to use Authenticated scan for Windows.
 
 ### Scanning account
 
-A scanning account is required to remotely access the devices. This must be a [Group Managed Service Account (gMsa)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/).
+A scanning account is required to remotely access the devices. The account must be a [Group Managed Service Account (gMsa)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/).
 
 > [!NOTE]
 > We recommend the gMSA account is a least privileged account with only the required scanning permissions and is set to cycle the password regularly.
@@ -63,10 +63,10 @@ To create a gMsa account:
    New-ADServiceAccount -Name gmsa1 -PrincipalsAllowedToRetrieveManagedPassword scanner-win11-i$ -KerberosEncryptionType RC4, AES128, AES256 -Verbose
    ```
 
-   - gmsa1 stands for the name of the account you are creating, and scanner-win11-I$ stands for the machine name where the scanner agent will run. Only this machine will be able to retrieve the account password. You can provide a comma separated list of machines.
+   - gmsa1 stands for the name of the account you are creating, and scanner-win11-I$ stands for the machine name where the scanner agent runs. Only this machine is able to retrieve the account password. You can provide a comma separated list of machines.
    - Modifying an existing account can be done with *Get-ADServiceAccount* and *Set-ADServiceAccount*
 
-2. To Install the AD Service Account, on the machine where the scanner agent will run using an elevated PowerShell window, run:
+2. To Install the AD Service Account, on the machine where the scanner agent runs using an elevated PowerShell window, run:
 
    ```powershell
    Install-ADServiceAccount -Identity gmsa1
@@ -76,7 +76,7 @@ If your PowerShell doesn't recognize those commands, it probably means you're mi
 
 ### Devices to be scanned
 
-Use the table below for guidance on the configurations required, along with the permissions needed for the scanning account, on each device to be scanned:
+Use the following table for guidance on the configurations required, along with the permissions needed for the scanning account, on each device to be scanned:
 
 > [!NOTE]
 > The below steps are only one recommended way to configure the permissions on each device to be scanned and uses the Performance Monitor Users group. You can also configure the permissions in the following ways:
@@ -90,18 +90,18 @@ Use the table below for guidance on the configurations required, along with the
 |:---|:---|
 |Windows Management Instrumentation (WMI) is enabled|To enable remote Windows Management Instrumentation (WMI): <ul><li>Verify the Windows Management Instrumentation service is running.</li><li>Go to **Control Panel** \> **All Control Panel Items** \> **Windows Defender Firewall** \> **Allowed applications** and ensure Windows Management Instrumentation (WMI) is allowed through Windows Firewall.</li></ul>|
 |Scanning account is a member of Performance Monitor Users group|The scanning account must be a member of the **Performance Monitor Users** group on the device to be scanned.|
-|Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace|To verify or enable these permissions: <ul><li>Run wmimgmt.msc.</li><li>Right click **WMI Control (Local)** and select **Properties**.</li><li>Go to the Security tab.</li><li>Select the relevant WMI namespace and select **Security**.</li><li>Add the specified group and select to allow the specific permissions.</li><li>Select **Advanced**, choose the specified entry and select **Edit**.</li><li>Set **Applies To** to "This namespace and subnamespaces".</li></ul>|
+|Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace|To verify or enable these permissions: <ul><li>Run wmimgmt.msc.</li><li>Right click **WMI Control (Local)** and select **Properties**.</li><li>Go to the Security tab.</li><li>Select the relevant WMI namespace and select **Security**.</li><li>Add the specified group and select to allow the specific permissions.</li><li>Select **Advanced**, choose the specified entry, and select **Edit**.</li><li>Set **Applies To** to "This namespace and subnamespaces".</li></ul>|
 |**Performance Monitor Users** group should have permissions on DCOM operations|To verify or enable these permissions: <ul><li>Run dcomcnfg.</li><li>Navigate to **Component Services** \> **Computers** \> **My Computer**.</li><li>Right click My Computer and choose **Properties**.</li><li>Go to the COM Security tab.</li><li>Go to **Launch and Activation Permissions**  and select **Edit Limits**.</li><li>Add the specified group and select to allow **Remote Activation**.</li></ul>|
 
 ### Configure a group of devices with a group policy
 
-A group policy will let you bulk apply the configurations required, as well as the permissions required for the scanning account, to a group of devices to be scanned.
+A group policy lets you bulk apply the configurations required, and the permissions required for the scanning account, to a group of devices to be scanned.
 
 Follow these steps on a domain controller to configure a group of devices at the same time:
 
 |Step|Description|
 |---|---|
-|Create a new Group Policy Object|<ul><li>On the domain controller open the Group Policy Management Console.</li><li>Follow these steps to [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object).</li><li>Once your Group Policy Object (GPO) is created, right-click on your GPO and select **Edit** to open the Group Policy Management Editor console and complete the steps below.</li></ul>|
+|Create a new Group Policy Object|<ul><li>On the domain controller, open the Group Policy Management Console.</li><li>Follow these steps to [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object).</li><li>Once your Group Policy Object (GPO) is created, right-click on your GPO and select **Edit** to open the Group Policy Management Editor console and complete the steps below.</li></ul>|
 |Enable Windows Management Instrumentation (WMI)|To enable remote Windows Management Instrumentation (WMI): <ul><li>Go to  **Computer Configuration** \> **Policies** \> **Windows Settings** \> **Security Settings** \> **System Services**.</li><li>Right-click **Windows Management Instrumentation**.</li><li>Select the **Define this policy setting** box and choose **Automatic**.</li></ul>|
 |Allow WMI through the firewall|To allow Windows Management Instrumentation (WMI) through the firewall: <ul><li>Go to **Computer Configuration** \> **Policies** \> **Windows Settings** \> **Security Settings** \> **Windows Defender Firewall and Advanced Security** \> **Inbound Rules**.</li><li>Right-click and select **New Rule**.</li><li>Choose **Predefined** and select **Windows Management Instrumentation (WMI)** from the list. Then select **Next**.</li><li>Select the **Windows Management Instrumentation (WMI-In)** checkbox. Then select **Next**.</li><li>Select **Allow the connection**. Then select **Finish**.</li><li>Right-click the newly added rule and select **Properties**.</li><li>Go to the **Advanced** tab and uncheck the **Private** and **Public** options as only **Domain** is required.</li></ul>|
 |Grant permissions to perform DCOM operations|To grant permissions to perform DCOM operations: <ul><li>Go to **Computer Configuration** \> **Policies** \> **Windows Settings** \> **Security Settings** \> **Local Policies** \> **Security Operations**.</li><li>Right-click **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** and select **Properties**.</li><li>Select **Define this policy setting** box and select **Edit Security**.</li><li>Add the user or group you are granting permissions to and select **Remote Activation**.</li></ul>|
@@ -155,7 +155,7 @@ Process {
 }
 ```
 
-Once the GPO policy is applied to a device, all the required settings will be applied and your gMSA account will be able to access and scan the device.
+Once the GPO policy is applied to a device, all the required settings are applied and your gMSA account is able to access and scan the device.
 
 ## Configure a new authenticated scan
 
@@ -167,27 +167,27 @@ To configure a new authenticated scan:
      :::image type="content" source="/defender/media/defender-vulnerability-management/authenticated-scan.png" alt-text="Screenshot of the add new authenticated scan screen" lightbox="/defender/media/defender-vulnerability-management/authenticated-scan.png":::
 
 3. Enter a **Scan name**.
-4. Select the **Scanning device:** The onboarded device you'll use to scan the unmanaged devices.
-5. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file will override any manually added addresses.
-6. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting 'Do not repeat'.
+4. Select the **Scanning device:** The onboarded device you use to scan the unmanaged devices.
+5. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file overrides any manually added addresses.
+6. Select the **Scan interval:** By default, the scan runs every four hours. You can change the scan interval or have it only run once, by selecting 'Do not repeat'.
 7. Choose your **Authentication method** - there are two options to choose from:
     - Kerberos (preferred)
     - Negotiate
 
     > [!NOTE]
     > Negotiate option will fallback to NTLM in cases where Kerberos fails. Using NTLM is not recommended as it is not a secure protocol.
 
-8. Enter the credentials Microsoft Defender Vulnerability Management will use to remotely access the devices:
+8. Enter the credentials Microsoft Defender Vulnerability Management uses to remotely access the devices:
 
-    - **Use azure KeyVault:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials
+    - **Use azure KeyVault:** If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials
     - For the Azure KeyVault secret value use [gMSA account details](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/) in the format **Domain;Username**
 9. Select **Next** to run or skip the test scan. For more information on test scans, see [Scan and add network devices](/defender-endpoint/network-devices#scan-and-add-network-devices).
 10. Select **Next** to review the settings and then select **Submit** to create your new authenticated scan.
 
 > [!NOTE]
 > As the authenticated scanner currently uses an encryption algorithm that is not compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.
 >
-> To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner will run: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named **Enabled** and value of **0x0**
+> To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner runs: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named **Enabled** and value of **0x0**
 >
 > FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.
 
@@ -196,7 +196,7 @@ To configure a new authenticated scan:
 You can use APIs to create a new scan and view all existing configured scans in your organization. For more information, see:
 
 - [Get all scan definitions](/defender-endpoint/api/get-all-scan-definitions)
-- [Add, delete or update a scan definition](/defender-endpoint/api/add-a-new-scan-definition)
+- [Add, delete, or update a scan definition](/defender-endpoint/api/add-a-new-scan-definition)
 - [Get all scan agents](/defender-endpoint/api/get-all-scan-agents)
 - [Get scan agent by Id](/defender-endpoint/api/Get-agent-details)
 - [Get scan history by definition](/defender-endpoint/api/get-scan-history-by-definition)