Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into WI449590-amsi-demonstrations-mde-switch-image-code-snippet

Author: DeCohen

defender-endpoint/machines-view-overview.md

@@ -288,6 +288,9 @@ You can sort the entries by clicking on an available column header. Select :::im
 > - Narrow the width of appropriate columns.
 > - Zoom out in your web browser.
 
+> [!TIP]
+> The API, UI, export, and AH interfaces all draw from a single authoritative data source. However, because each is powered by separate backend systems with different update frequencies, slight variations may appear across views—especially in short-term queries or recently reactivated devices. Each interface is optimized for its specific use case: export for large data retrieval, UI for fast interactive tasks like tag management, and AH for tracking device update history over time.
+
 ## Related articles
 
 [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md).

defender-endpoint/troubleshoot-security-config-mgt.md

@@ -72,7 +72,7 @@ The following table lists errors and directions on what to try/check in order to
 |`40`|Clock sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs.|
 |`43`|MDE and ConfigMgr|The device is managed using Configuration Manager and Microsoft Defender for Endpoint. Controlling policies through both channels may cause conflicts and undesired results. To avoid this, endpoint security policies should be isolated to a single control plane. |
 |`2`|Device is not enrolled and has never been enrolled|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is not enrolled to be managed by Defender for Endpoint. For more information, see [Configure Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration?pivots=mdssc-preview). |
-|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn of the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [Defender for Endpoint integration with Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
+|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn off the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [Defender for Endpoint integration with Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
 
 ## Related topic
 

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -46,6 +46,10 @@ Learn more:
 |---------|------------|-------------|
 |[Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview)     |GA         |- Microsoft Defender Core service, now in GA, helps with the stability and performance of Microsoft Defender Antivirus.<br>- Support for Azure Stack HCI OS is rolling out across commercial and government clouds.|
 
+## July 2025
+
+- (Preview) Added support for Azure Stack HCI OS, version 23H2 and later. This support will roll out gradually across all clouds and regions in July.
+
 ## April 2025
 
 |Feature  |Preview/GA  |Description  |

defender-vulnerability-management/tvm-weaknesses.md

@@ -44,8 +44,8 @@ The Weaknesses page opens with a list of the CVEs your devices are exposed to. Y
 If there's no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by Defender Vulnerability Management using the format **TVM-2020-002**.
 
 > [!NOTE]
-> The maximum number of records you can export from the weaknesses page to a CSV file is 8,000 and the export must not exceed 64 KB. If you receive a message stating the results are too large to export, refine your query to include fewer records.
->
+> The maximum number of records you can export from the weaknesses page to a CSV file is 6,000 and the export must not exceed 64 KB. If you receive a message stating the results are too large to export, refine your query to include fewer records.
+> 
 > Currently, Defender Vulnerability Management doesn't distinguish between 32-bit and 64-bit system architectures when correlating vulnerabilities (CVEs) to devices. This limitation can lead to false positives, especially in cases where a CVE applies only to one architecture type. For example, on a Windows Server 2016 machine, PHP was incorrectly flagged with `CVE-2024-11236`, which affects only 32-bit systems. Since architecture isn't currently factored into the correlation process, the CVE was incorrectly associated with a 64-bit server. This is a known issue, and a solution is on the roadmap.
 
 ## Breach and threat insights