Merge pull request #3377 from MicrosoftDocs/main

Publish main to live, 04/04/25, 10:30 AM PDT

Author: Ruchika-mittal01

defender-endpoint/attack-surface-reduction-faq.yml

@@ -20,7 +20,7 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
-ms.date: 02/21/2024
+ms.date: 04/04/2025
 ---
 
 # View the details and results of an automated investigation
@@ -32,7 +32,7 @@ With Microsoft Defender for Endpoint, when an [automated investigation](automate
 
 ## (NEW!) Unified investigation page
 
-The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)  and [Microsoft Defender for Office 365](/defender-office-365/mdo-about).
+The investigation page is updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)  and [Microsoft Defender for Office 365](/defender-office-365/mdo-about).
 
 > [!TIP]
 > To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
@@ -74,7 +74,7 @@ Use the investigation details view to see past, current, and pending activity pe
 In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
 
 > [!NOTE]
-> - The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
+> - The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription doesn't include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
 >
 > - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
@@ -83,8 +83,8 @@ In the Investigation details view, you can see information on the **Investigatio
 |**Investigation graph**|Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval. <p> You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts.|
 |**Alerts**|Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Defender for Cloud Apps, and other Microsoft Defender XDR features.|
 |**Devices**|Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).)|
-|**Mailboxes**|Lists mailboxes that are impacted by detected threats.|
-|**Users**|Lists user accounts that are impacted by detected threats.|
+|**Mailboxes**|Lists mailboxes that are affected by detected threats.|
+|**Users**|Lists user accounts that are affected by detected threats.|
 |**Evidence**|Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status.|
 |**Entities**|Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).|
 |**Log**|Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
@@ -99,7 +99,7 @@ The following table lists investigation states and what they indicate.
 |---------|---------|
 |Benign   | Artifacts were investigated and a determination was made that no threats were found.|
 |PendingResource     | An automated investigation is paused because either a remediation action is pending approval, or the device on which an artifact was found is temporarily unavailable.|
-|UnsupportedAlertType     | An automated investigation is not available for this type of alert. Further investigation can be done manually, by using advanced hunting. |
+|UnsupportedAlertType     | An automated investigation isn't available for this type of alert. Further investigation can be done manually, by using advanced hunting. |
 |Failed     | At least one investigation analyzer ran into a problem where it couldn't complete the investigation. If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded.|
 |Successfully remediated| An automated investigation completed, and all remediation actions were completed or approved.|
 

defender-endpoint/autoir-investigation-results.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.subservice: edr
 ms.author: ewalsh
 ms.localizationpriority: medium
-ms.date: 07/27/2023
+ms.date: 04/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -43,8 +43,8 @@ Automated investigation and remediation (AIR) capabilities in Microsoft Defender
 |Automation level|Description|
 |---|---|
 |**Full - remediate threats automatically** <br> (also referred to as *full automation*)|With full automation, remediation actions are performed automatically on entities that are considered to be malicious. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone. <p> ***Full automation is recommended** and is selected by default for tenants with Defender for Endpoint that were created on or after August 16, 2020, with no device groups defined yet.*<p>*Full automation is set by default in Defender for Business.*|
-|**Semi - require approval for all folders** <br> (also referred to as *semi-automation*)|With this level of semi-automation, approval is required for remediation actions on all files. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. Pending actions time out after 7 days. If an action times out, the behavior is the same as if the action is rejected. <p> *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|
-|**Semi - require approval for core folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). <p> Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <p> Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|
+|**Semi - require approval for all folders** <br> (also referred to as *semi-automation*)|With this level of semi-automation, approval is required for remediation actions on all files. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. Pending actions time out after seven days. If an action times out, the behavior is the same as if the action is rejected. <p> *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|
+|**Semi - require approval for core folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). <p> Remediation actions can be taken automatically on files or executables that are in other (noncore) folders. <p> Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|
 |**Semi - require approval for non-temp folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that aren't* in temporary folders. <p> Temporary folders can include the following examples: <ul><li>`\users\*\appdata\local\temp\*`</li><li>`\documents and settings\*\local settings\temp\*`</li><li>`\documents and settings\*\local settings\temporary\*`</li><li>`\windows\temp\*`</li><li>`\users\*\downloads\*`</li><li>`\program files\`</li><li>`\program files (x86)\*`</li><li>`\documents and settings\*\users\*`</li></ul> <p> Remediation actions can be taken automatically on files or executables that are in temporary folders. <p> Pending actions for files or executables that aren't in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|
 |**No automated response** <br> (also referred to as *no automation*)|With no automation, automated investigation doesn't run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured. <p> ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](machine-groups.md).|
 

defender-endpoint/automation-levels.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
-ms.date: 03/07/2024
+ms.date: 04/04/2025
 ms.reviewer: pahuijbr, yongrhee
 manager: deniseb
 ms.subservice: ngp
@@ -127,7 +127,7 @@ You can also specify where the diagnostic `.cab` file is created using a Group P
 5. Select **OK** or **Apply**.
 
 > [!TIP]
-> **Performance tip** Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are: 
+> **Performance tip** Due to various factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are: 
 >
 > - Top paths that impact scan time
 > - Top files that impact scan time

defender-endpoint/collect-diagnostic-data.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-ngp
 search.appverid: met150
-ms.date: 03/26/2025
+ms.date: 04/04/2025
 ---
 
 # Configure behavioral, heuristic, and real-time protection
@@ -38,15 +38,15 @@ Microsoft Defender Antivirus uses several methods to provide threat protection:
 
 You can configure how Microsoft Defender Antivirus uses these methods with [Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration), [Microsoft Intune](use-intune-config-manager-microsoft-defender-antivirus.md), Microsoft Configuration Manager, [Group Policy](use-group-policy-microsoft-defender-antivirus.md), [PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md), and [Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md).
 
-This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
+This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but might not be detected as malware.
 
 See [Use next-gen Microsoft Defender Antivirus technologies through cloud protection](cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud protection.
 
 ## In this section
 
-| Topic|Description |
+| Article|Description |
 |---|---|
-| [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)| Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps |
+| [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)| Detect and block apps that mighty be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps |
 | [Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md)|Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features |
 
 > [!TIP]

defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md

@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.localizationpriority: medium
 audience: ITPro
 ms.topic: conceptual
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.reviewer: yongrhee
 manager: deniseb
 ms.subservice: asr
@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 03/28/2024
+ms.date: 04/04/2025
 ---
 
 # Evaluate network protection

defender-endpoint/evaluate-network-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 03/19/2024
+ms.date: 04/04/2025
 ---
 
 # Troubleshoot license issues for Microsoft Defender for Endpoint on macOS
@@ -56,17 +56,17 @@ You encounter this message in a different way: If you're using the terminal to e
 
 ### Cause
 
-- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-15-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-did-not-run-the-configuration-script).
+- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-15-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-didnt-run-the-configuration-script).
 
-- You can encounter an error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [If Microsoft Defender for Endpoint on macOS isn't up to date](#if-microsoft-defender-for-endpoint-on-macos-is-not-up-to-date).
+- You can encounter an error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [If Microsoft Defender for Endpoint on macOS isn't up to date](#if-microsoft-defender-for-endpoint-on-macos-isnt-up-to-date).
 
-- You can encounter an error message if you offboarded and reonboarded Mac from Microsoft Defender for Endpoint on macOS.
+- You can encounter an error message if you offboard and reonboard Mac from Microsoft Defender for Endpoint on macOS.
 
-- You can encounter an error message if a license isn't assigned to a user. For information on troubleshooting in this scenario, see [If a license isn't assigned to a user](#if-a-license-is-not-assigned-to-a-user).
+- You can encounter an error message if a license isn't assigned to a user. For information on troubleshooting in this scenario, see [If a license isn't assigned to a user](#if-a-license-isnt-assigned-to-a-user).
 
 ### Solutions
 
-#### If you did not run the configuration script
+#### If you didn't run the configuration script
 
 This section describes the troubleshooting measures when the error/warning message is caused by nonexecution of the configuration script. The script contains the license settings when the Microsoft Defender for Endpoint on macOS package is installed and deployed.
 
@@ -80,19 +80,19 @@ Depending on the deployment management tool used, follow the tool-specific instr
 |Manual installation      |    [Download installation and onboarding packages](mac-install-manually.md#download-installation-and-onboarding-packages); and [Onboarding Package](mac-install-manually.md#onboarding-package)     |
 
 > [!NOTE]
-> If the onboarding package runs correctly, the licensing information will be located in `/Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist`.
+> If the onboarding package runs correctly, the licensing information is located in `/Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist`.
 
-#### If Microsoft Defender for Endpoint on macOS is not up to date
+#### If Microsoft Defender for Endpoint on macOS isn't up to date
 
 For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you need to [update](mac-updates.md) the agent.
 
 #### If Microsoft Defender for Endpoint on macOS has been offboarded
 
 When the offboarding script is executed on the macOS, it saves a file in `/Library/Application Support/Microsoft/Defender/` and it's named `com.microsoft.wdav.atp.offboarding.plist`.
 
-If the file exists, it will prevent the macOS from being onboarded again.  Delete the **com.microsoft.wdav.atp.offboarding.plist** running the onboarding script again.
+If the file exists, it prevents the macOS from being onboarded again. Delete the **com.microsoft.wdav.atp.offboarding.plist** running the onboarding script again.
 
-#### If a license is not assigned to a user
+#### If a license isn't assigned to a user
 
 1. In the Microsoft Defender portal (security.microsoft.com), select **Settings**, and then select **Endpoints**.