MicrosoftDocs
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/device-control-deploy-manage-gpo.md‎
Lines changed: 27 additions & 6 deletions b/‎defender-endpoint/device-control-deploy-manage-gpo.md‎
Lines changed: 27 additions & 6 deletions
diff --git a/‎defender-endpoint/live-response.md‎
Lines changed: 4 additions & 4 deletions b/‎defender-endpoint/live-response.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎defender-endpoint/media/protection-definition-update-failed.png‎
42.2 KB b/‎defender-endpoint/media/protection-definition-update-failed.png‎
42.2 KB
diff --git a/‎defender-endpoint/media/signature-update-failed.png‎
114 KB b/‎defender-endpoint/media/signature-update-failed.png‎
114 KB
diff --git a/‎defender-endpoint/microsoft-defender-antivirus-compatibility.md‎
Lines changed: 7 additions & 1 deletion b/‎defender-endpoint/microsoft-defender-antivirus-compatibility.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎defender-endpoint/microsoft-defender-endpoint-linux.md‎
Lines changed: 23 additions & 23 deletions b/‎defender-endpoint/microsoft-defender-endpoint-linux.md‎
Lines changed: 23 additions & 23 deletions
diff --git a/‎defender-endpoint/minimum-requirements.md‎
Lines changed: 7 additions & 7 deletions b/‎defender-endpoint/minimum-requirements.md‎
Lines changed: 7 additions & 7 deletions
@@ -511,8 +511,8 @@
           href: troubleshoot-collect-support-log.md
         - name: Troubleshoot Microsoft Defender Antivirus settings
           href: troubleshoot-settings.md
-        - name: Troubleshoot Microsoft Defender Antivirus service startup problems
-          href: troubleshoot-service-startup-problems.md
+        - name: Troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated
+          href: troubleshoot-security-intelligence-not-updated.md 
         - name: Troubleshooting Security Intelligence Updates from Microsoft Update source
           href: security-intelligence-update-tshoot.md
           displayName: Troubleshooting Security Intelligence Updates from Microsoft Update source
 
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 05/02/2024
+ms.date: 01/10/2025
 ---
 
 # Attack surface reduction rules overview
@@ -79,7 +79,7 @@ For information about configuring per-rule exclusions, see the section titled **
 
 ## Warn mode for users
 
-(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
+Whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
 
 Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
 
 
@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: denisebmsft
 ms.author: deniseb
 manager: deniseb 
-ms.date: 08/27/2024
+ms.date: 01/09/2025
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -15,7 +15,7 @@ ms.collection:
 - mde-asr
 ms.custom: 
 - partner-contribution
-ms.reviewer: joshbregman
+ms.reviewer: joshbregman, tdoucette
 search.appverid: MET150
 f1.keywords: NOCSH 
 ---
@@ -61,17 +61,27 @@ To configure the device types that a device control policy is applied, follow th
 
 1. On a computer running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Turn on device control for specific device types**.
 
-1. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). This setting must be a single string with no spaces or it will be parsed incorrectly by the device control engine causing unexpected behaviors. Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`.
+2. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). This setting must be a single string with no spaces or it will be parsed incorrectly by the device control engine causing unexpected behaviors. Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`.
 
 ## Define groups
 
 :::image type="content" source="media/deploy-dc-gpo/define-groups.png" alt-text="Screenshot of define groups." lightbox="media/deploy-dc-gpo/define-groups.png":::
 
 1. Create one XML file for each removable storage group. 
 
-2. Use the properties in your removable storage group to create an XML file for each removable storage group. 
+2. Use the properties in your removable storage group to create an XML file for each removable storage group.
 
-3. Save each XML file to your network share.
+   Make sure the root node of the XML is PolicyGroups, for example, the following XML:
+
+   ```xml
+    <PolicyGroups>
+        <Group Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}" Type="Device">
+             
+        </Group>
+    </PolicyGroups>
+    ```
+
+3. Save the XML file to your network share.
 
 4. Define the settings as follows:
 
@@ -93,6 +103,16 @@ You can create different group types. Here's one group example XML file for any
 
 2. Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule. 
 
+   Ensure root node of the XML is PolicyRules, for example, the following XML:
+
+   ```xml
+   <PolicyRules>
+     <PolicyRule Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}">
+         ...
+      </PolicyRule> 
+   </PolicyRules>
+   ```
+
 3. Save the XML file to network share.
 
 4. Define the settings as follows:
@@ -103,11 +123,12 @@ You can create different group types. Here's one group example XML file for any
 
 > [!NOTE]
 > To capture evidence of files being copied or printed, use [Endpoint DLP.](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
-> [!NOTE]
+> 
 > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
 ## See also
 
 - [Device control in Defender for Endpoint](device-control-overview.md)
 - [Device control policies in and settings](device-control-policies.md)
 - [Device Control for macOS](mac-device-control-overview.md)
+
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 04/03/2024
+ms.date: 01/10/2025
 ---
 
 # Investigate entities on devices using live response
@@ -229,9 +229,9 @@ Here are some examples:
 
 Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
 
-Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
+Live response allows PowerShell and Bash scripts to run; however, you must first put the files into the library before you can run them.
 
-You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
+You can have a collection of PowerShell and Bash scripts that can run on devices that you initiate live response sessions with.
 
 #### To upload a file in the library
 
@@ -311,7 +311,7 @@ Live response supports table and JSON format output types. For each command, the
 
 ## Supported output pipes
 
-Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
+Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: `[command] > [filename].txt`.
 
 Example:
 
 
@@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 10/17/2024
+ms.date: 01/10/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh
@@ -132,6 +132,12 @@ In order for Microsoft Defender Antivirus to run in passive mode, endpoints must
 
 - Endpoints must be onboarded to Defender for Endpoint. 
 
+- Windows Security Center Service must be enabled.
+
+> [!WARNING]
+> If the **Windows Security Center Service** is *disabled* on Windows Clients then Microsoft Defender Antivirus can't detect third-party antivirus installations and will stay **Active**.
+> This could lead to conflicts between the Microsoft Defender Antivirus and the third-party Antivirus, as both will attempt to provide active protection. This will impact performance and is not supported.
+
 > [!IMPORTANT]
 > - Microsoft Defender Antivirus is only available on devices running Windows 10 and 11, Windows Server 2022, Windows Server 2016, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, and Windows Server 2012 R2.
 > - Passive mode is only supported on Windows Server 2012 R2 & 2016 when the device is onboarded using the [modern, unified solution](configure-server-endpoints.md). 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/07/2025
+ms.date: 01/10/2025
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -45,7 +45,7 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 
 > [!NOTE]
 > Linux distribution using system manager supports both SystemV and Upstart.
-> Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). 
+> Microsoft Defender for Endpoint on Linux agent is independent from [Operation Management Suite (OMS) agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). 
 > Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
 
 ### System requirements
@@ -106,30 +106,30 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
   
 - List of supported filesystems for RTP, Quick, Full, and Custom Scan.
 
-   |RTP, Quick, Full Scan| Custom Scan|
-   |---|---|
-   |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
-   |`ecryptfs`|`Efs`|
-   |`ext2`|`S3fs`|
-   |`ext3`|`Blobfuse`|
-   |`ext4`|`Lustr`|
-   |`fuse`|`glustrefs`|
-   |`fuseblk`|`Afs`|
-   |`jfs`|`sshfs`|
-   |`nfs` (v3 only)|`cifs`|
-   |`overlay`|`smb`|
-   |`ramfs`|`gcsfuse`|
-   |`reiserfs`|`sysfs`|
-   |`tmpfs`||
-   |`udf`||
-   |`vfat`||
-   |`xfs`||
-    
+ |RTP, Quick, Full Scan| Custom Scan|
+ |---|---|
+ |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
+ |`ecryptfs`|`Efs`|
+ |`ext2`|`S3fs`|
+ |`ext3`|`Blobfuse`|
+ |`ext4`|`Lustr`|
+ |`fuse`|`glustrefs`|
+ |`fuseblk`|`Afs`|
+ |`jfs`|`sshfs`|
+ |`nfs` (v3 only)|`cifs`|
+ |`overlay`|`smb`|
+ |`ramfs`|`gcsfuse`|
+ |`reiserfs`|`sysfs`|
+ |`tmpfs`||
+ |`udf`||
+ |`vfat`||
+ |`xfs`||
+  
   > [!NOTE]
-  > Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+  > Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient extended Berkeley Packet Filter (eBPF) technology.
   > If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, then Audit framework (`auditd`) must be enabled on your system.
   > If you're using Auditd, then system events captured by rules added to `/etc/audit/rules.d/` adds to `audit.log`(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux are tagged with the `mdatp` key.
-
+  
 - /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md).
 
 ### Installation instructions
 
@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: pahuijbr
 ms.localizationpriority: medium
-ms.date: 01/06/2025
+ms.date: 01/10/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -85,7 +85,7 @@ Supported versions of Windows include:
 - Windows 10 Education
 - Windows 10 Pro
 - Windows 10 Pro Education
-- Windows server
+- Windows Server
   - Windows Server 2012 R2
   - Windows Server 2016
   - Windows Server, version 1803 or later
@@ -130,23 +130,23 @@ To add anti-malware protection to these older operating systems, you can use [Sy
 
 The minimum hardware requirements for Defender for Endpoint on Windows devices are the same as the requirements for the operating system itself (that is, they aren't in addition to the requirements for the operating system).
 
-- Cores: Two minimum, four preferred
-- Memory: One GB minimum, four preferred
+- Cores: 2 minimum, 4 preferred
+
+- Memory: 1GB minimum, 4 GB preferred
 
 ### Network and data storage and configuration requirements
 
 When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
 
 > [!NOTE]
->
 > - You can't change your data storage location after the first-time setup.
 > - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
 
 #### IP stack
 
-IPv4 (Internet Protocol Version 4) stack must be enabled on devices for communication to the Defender for Endpoint cloud service to work as expected.
+Internet Protocol Version 4 (IPv4) stack must be enabled on devices for communication to the Defender for Endpoint cloud service to work as expected.
 
-Alternatively, if you must use an IPv6-only configuration, consider adding dynamic IPv6/IPv4 transitional mechanisms, such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any other network reconfiguration.
+Alternatively, if you must use an Internet Protocol Version 6 (IPv6) only configuration, consider adding dynamic IPv6/IPv4 transitional mechanisms, such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any other network reconfiguration.
 
 #### Internet connectivity