Merge branch 'main' into docs-editor/switch-to-mde-phase-2-1750089266

Author: denisebmsft

ATPDocs/investigate-security-alerts.md

@@ -12,7 +12,7 @@ Investigate alerts that are affecting your environment, understand what they mea
 Begin your investigation by selecting an alert from the **Alerts** page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.
 
 > [!NOTE]
-> The **alert story** and **export to Excel** options are only available for alerts that use the original Defender for Identity structure.  
+> The **alert story** and **export to Excel** options are only available for alerts that use the classic Defender for Identity structure.  
 > For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
 
 ## Investigate using the alert story

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/image.png

@@ -30,7 +30,11 @@ Smart attackers are likely to target Microsoft Entra Connect in on-premises envi
 
 1. Take appropriate action on those accounts and remove their 'Replication Directory Changes' and 'Replication Directory Changes All' permissions by unchecking the following permissions:  
 
-![Screenshot of the replication permissions.](media/remove-replication-permissions-microsoft-entra-connect/permissions.png)
+[![Screenshot that shows Replicationconfiguration](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png)](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png#lightbox)
+
+
+
+
 
 > [!IMPORTANT]
 > For environments with multiple Microsoft Entra Connect servers, it’s crucial to install sensors on each server to ensure Microsoft Defender for Identity can fully monitor your setup. It has been detected that your Microsoft Entra Connect configuration does not utilize Password Hash Sync, which means that replication permissions are not necessary for the accounts in the Exposed Entities list. Additionally, it’s important to ensure that each exposed MSOL account is not required for Replication Permissions by any other applications.

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfig.png

@@ -85,7 +85,7 @@ items:
       - name: Listen for SIEM events
         href: deploy/configure-event-collection.md
         displayName: standalone
-    - name: Activate Defender for Identity capabilities on your domain controller
+    - name: Activate Defender for Identity capabilities on your domain controller (Preview)
       href: deploy/activate-capabilities.md
 - name: Integrate with identity services
   items:

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png

@@ -560,11 +560,14 @@
     items:
     - name: Migration guides overview
       href: migration-guides.md
+    - name: Considerations for side-by-side deployment
+      href: mde-side-by-side.md
     - name: Migrate servers to Defender for Cloud
       href: migrating-mde-server-to-cloud.md
     - name: Migrate to Defender for Endpoint
-      href: switch-to-mde-overview.md
       items:
+      - name: Overview
+        href: switch-to-mde-overview.md
       - name: Phase 1 - Prepare
         href: switch-to-mde-phase-1.md
       - name: Phase 2 - Setup

ATPDocs/remove-replication-permissions-microsoft-entra-connect.md

@@ -0,0 +1,11 @@
+---
+author: denisebmsft
+ms.author: deniseb
+ms.date: 06/13/2025
+ms.topic: include
+ms.service: defender-endpoint
+---
+
+If you want to run multiple security solutions side by side, see [Considerations for performance, configuration, and support](/defender-endpoint/mde-side-by-side).
+
+You might have already configured mutual security exclusions for devices onboarded to Microsoft Defender for Endpoint. If you still need to set mutual exclusions to avoid conflicts, see [Add Microsoft Defender for Endpoint to the exclusion list for your existing solution](/defender-endpoint/switch-to-mde-phase-2#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).

ATPDocs/toc.yml

@@ -70,4 +70,6 @@ Here's a list of prerequisites required to deploy Defender for Endpoint:
 
 Start your deployment with [Step 1 - Set up Microsoft Defender for Endpoint deployment](production-deployment.md)
 
+[!INCLUDE [side-by-side-scenarios](includes/side-by-side-scenarios.md)]
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/TOC.yml

@@ -0,0 +1,52 @@
+---
+title: Microsoft Defender for Endpoint alongside other security solutions
+description: See recommendations for running Defender for Endpoint alongside other security solutions.
+ms.service: defender-endpoint
+ms.localizationpriority: medium
+ms.date: 06/13/2025
+ms.topic: conceptual
+author: emmwalshh
+ms.author: ewalsh
+ms.custom: 
+- nextgen
+- partner-contribution
+ms.reviewer: pahuijbr
+manager: deniseb
+ms.collection: 
+- m365-security
+- tier2
+search.appverid: met150
+---
+
+# Microsoft Defender for Endpoint alongside other security solutions
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+
+## Considerations with concurrent security solutions
+
+Large organizations use a wide variety of security solutions, and running multiple security solutions concurrently can lead to performance issues and conflicts. To help minimize interoperability issues, trusted security solutions can often be configured to mitigate conflicts with each other. Organizations should understand the potential benefits, risks, and mitigation recommendations to make informed choices.  
+
+1. **Avoid duplication**. Running multiple security solutions that perform the same function can lead to performance issues and conflicts. It's generally recommended to avoid redundant capabilities, as this increases the likelihood of problematic product interactions. 
+
+   Microsoft Defender for Endpoint can be configured to disable endpoint detection and response (EDR) in block mode, automated investigation & remediation, protection from potentially unwanted applications (PUA protection), network discovery & response, and other capabilities. This can reduce overlap with detection and response functions provided by non-Microsoft endpoint security solutions. Responsibility for these functions falls to the solution actively providing those functions. 
+
+   Similarly, setting Microsoft Defender Antivirus in passive mode ensures that when another anti-malware solution is present, Microsoft Defender Antivirus doesn't perform active protection, remediation, or malware blocking. Responsibility for malware protection shifts to the active anti-malware solution. 
+
+2. **Configure mutual exclusions**. Security exclusions are used to prevent certain entities from being scanned or blocked by security software. Creating mutual exclusions between security solutions can help avoid performance issues and compatibility problems. Exclusions can potentially decrease protection, so it's important to only exclude processes and paths that are confidently benign. 
+
+   When creating mutual exclusions between two security solutions, organizations are deferring protection for those solutions to their respective vendors. If a non-Microsoft EDR solution is unable to monitor Defender for Endpoint binaries, for example, then Microsoft is being trusted to protect its own solution. Likewise, if Defender for Endpoint is unable to monitor a non-Microsoft solution, then that vendor is being trusted to protect its own solution. These gaps in protection need to be actively managed as solutions change, to help minimize risk.
+
+   > [!NOTE]
+   > For Microsoft Windows performance, for example, see [Performance overview - Windows Client | Microsoft Learn](/troubleshoot/windows-client/performance/performance-overview) and [Performance overview - Windows Server | Microsoft Learn](/troubleshoot/windows-server/performance/performance-overview).
+
+3. **Consider system configuration**. In side-by-side scenarios, even well configured security tools can be impacted by underlying system limitations. Ensure that endpoints meet hardware requirements and stagger resource-heavy tasks. Built-in telemetry can monitor performance to help isolate interoperability issues from system constraints. Solutions and scenario guides are available to help troubleshoot and self-solve performance-related issues, or organizations can leverage available support resources. 
+
+Delegating security functionality, creating exclusions, and configuring settings can help reduce the likelihood of interoperability issues, but these might not be eliminated completely. Acceptable risk is different for every organization; optimizing for usability might increase risk, and optimizing for security will likely impact usability. Organizations should weigh the benefits of interoperability over potential risks.
+
+## Customer support
+
+Commercially reasonable support is provided through Microsoft Customer Service & Support and Microsoft-managed support offerings. In troubleshooting performance, reliability, and other issues, customers might be asked to temporarily remove potentially conflicting solutions to identify the source of the issue. Depending on the issue, customers might be asked to engage with the vendor of the non-Microsoft solution.
+