MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 14 additions & 9 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎ATPDocs/deploy/media/activate-capabilities/1.jpg‎
186 KB b/‎ATPDocs/deploy/media/activate-capabilities/1.jpg‎
186 KB
diff --git a/‎ATPDocs/deploy/media/activate-capabilities/2.jpg‎
144 KB b/‎ATPDocs/deploy/media/activate-capabilities/2.jpg‎
144 KB
diff --git a/‎ATPDocs/deploy/media/activate-capabilities/3.jpg‎
169 KB b/‎ATPDocs/deploy/media/activate-capabilities/3.jpg‎
169 KB
diff --git a/‎defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/microsoft-defender-endpoint-mac.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/microsoft-defender-endpoint-mac.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/migrate-devices-streamlined.md‎
Lines changed: 24 additions & 8 deletions b/‎defender-endpoint/migrate-devices-streamlined.md‎
Lines changed: 24 additions & 8 deletions
diff --git a/‎defender-vulnerability-management/get-defender-vulnerability-management.md‎
Lines changed: 5 additions & 5 deletions b/‎defender-vulnerability-management/get-defender-vulnerability-management.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎defender-vulnerability-management/tvm-block-vuln-apps.md‎
Lines changed: 17 additions & 13 deletions b/‎defender-vulnerability-management/tvm-block-vuln-apps.md‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎defender-vulnerability-management/tvm-browser-extensions.md‎
Lines changed: 3 additions & 0 deletions b/‎defender-vulnerability-management/tvm-browser-extensions.md‎
Lines changed: 3 additions & 0 deletions
@@ -88,12 +88,16 @@ Activate the Defender for Identity from the [Microsoft Defender portal](https://
 
    The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+    :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
 ## Onboarding Confirmation 
 
@@ -104,7 +108,7 @@ To confirm the sensor has been onboarded:
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
->  The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
 ## Test activated capabilities
 
@@ -126,7 +130,6 @@ In the Defender portal, select **Identities** > **Dashboard**, and review the de
 
 For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
-
 ### Confirm entity page details
 
 Confirm that entities, such as domain controllers, users, and groups, are populated as expected. 
@@ -139,7 +142,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-    If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -205,18 +208,20 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the **Options** menu, select any of the available remediation actions.
+2. From the **Options** menu, select any of the available remediation actions.
 
-1. Check Active Directory for the expected activity.
+3. Check Active Directory for the expected activity.
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings > Identities > Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+
+    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
 
@@ -3,7 +3,7 @@ title: Configure custom exclusions for Microsoft Defender Antivirus
 description: You can exclude files (including files modified by specified processes) and folders from Microsoft Defender Antivirus scans.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 02/18/2025
+ms.date: 03/06/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
@@ -46,7 +46,7 @@ Custom exclusions apply to [scheduled scans](schedule-antivirus-scans.md), [on-d
 ## Configure and validate exclusions
 
 > [!CAUTION]
-> Use Microsoft Defender Antivirus extensions sparingly. Make sure to review the information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
+> Use Microsoft Defender Antivirus exclusions sparingly. Make sure to review the information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
 > Variables, such as `%USERPROFILE%` aren't interpreted in exclusion settings. We recommend using an explicit path format
 
 If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft Defender for Endpoint, use the following procedures to define exclusions:
 
@@ -155,7 +155,7 @@ Guidance for how to configure the product in enterprise environments is availabl
 
 ## macOS kernel and system extensions
 
-Starting with macOS 11 (Significant Sur), Microsoft Defender for Endpoint has been fully migrated from kernel extension to system extensions. 
+Starting with macOS 11 (Big Sur), Microsoft Defender for Endpoint has been fully migrated from kernel extension to system extensions.
 
 ## Resources
 
 
@@ -13,7 +13,7 @@ ms.collection:
 - tier1
 ms.topic: how-to
 ms.subservice: onboard
-ms.date: 05/09/2024
+ms.date: 03/06/2025
 ---
 
 # Migrate devices to use the streamlined connectivity method
@@ -31,12 +31,10 @@ This article describes how to migrate (reonboard) devices that had been previous
 In most cases, full device offboarding isn't required when reonboarding. You can run the updated onboarding package and reboot your device to switch connectivity over. See the following information for details on individual operating systems.
 
 > [!IMPORTANT]
-> Limitations and known issues:
->
-> - We found a back-end issue with populating the `ConnectivityType` column in the `DeviceInfo table` in advanced hunting so that you can track migration progress. We aim to resolve this issue as soon as possible.
-> - For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
-> - Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
-> - Devices running the MMA agent are not supported and must continue using the MMA onboarding method.
+> Limitations and known issues:- For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
+- Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
+- Devices running the MMA agent are not supported and must continue using the MMA onboarding method.
+
 
 ## Migrating devices using the streamlined method
 
@@ -333,7 +331,25 @@ For example: `https:mdav.us.endpoint.security.microsoft/com/storage`
 
 ### Tracking with advanced hunting in Microsoft Defender XDR
 
-Follow the same instructions as for Windows.
+To view all devices (limit 30k) and their most recently reported connectivity type:
+
+
+```kusto
+DeviceInfo
+| where OnboardingStatus == "Onboarded"
+| summarize arg_max(ConnectivityType, Timestamp) by DeviceName
+```
+
+To view a count of Devices by OSPlatform and their connectivity type in a bar chart:
+
+
+```kusto
+DeviceInfo
+| where OnboardingStatus == "Onboarded"
+| summarize arg_max(ConnectivityType, Timestamp, OSPlatform) by DeviceName
+| summarize count() by OSPlatform, ConnectivityType
+| render columnchart 
+```
 
 ### Use Defender for Endpoint Client Analyzer (cross-platform) to validate connectivity for newly migrated endpoints
 
 
@@ -14,7 +14,7 @@ ms.collection:
 - m365-security
 - tier1
 - essentials-get-started
-ms.date: 02/28/2025
+ms.date: 03/06/2025
 ---
 
 # Sign up for Microsoft Defender Vulnerability Management
@@ -38,13 +38,13 @@ You can [request one extension](https://productledgrowth.powerappsportals.com/Ad
 
 You must be a Global Administrator to start a trial. Or, you can allow users to start a trial on behalf of your organization by enabling this option:
 
-1. In the [Microsoft 365 admin center](https://admin.microsoft.com), go to **Settings** > **Org settings** > **Services** > **User owned apps and services**
+1. In the [Microsoft 365 admin center](https://admin.microsoft.com), go to **Settings** > **Org settings**. In the **Services** page, navigate to **User owned apps and services**.
 
-2. Check **Let users start trials on behalf of your organization**
+2. Check **Let users start trials on behalf of your organization**.
 
-3. Select **Save**
+3. Select **Save**.
 
-:::image type="content" source="/defender/media/defender-vulnerability-management/mdvm-user-starttrial.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management user trial setting.":::
+:::image type="content" source="/defender/media/defender-vulnerability-management/mdvm-trial-admin-center.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management user trial setting.":::
 
 > [!NOTE]
 > If you don't want users in your organization to be able to start trials, as a Global Administrator, you must disable this option once you've activated the trial.
 
@@ -11,9 +11,10 @@ audience: ITPro
 ms.collection:
   - m365-security
   - Tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: met150
-ms.date: 12/05/2024
+ms.date: 3/05/2024
+#customer intent: To learn how to block vulnerable applications with Microsoft Defender Vulnerability Management.
 ---
 
 # Block vulnerable applications with Microsoft Defender Vulnerability Management
@@ -24,6 +25,9 @@ ms.date: 12/05/2024
 - [Microsoft Defender XDR](/defender-xdr)
 - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
 
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
 Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security administrators can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application until the remediation request is completed. The block option gives your IT teams time to patch an application without worrying your security administrators about the vulnerabilities.
 
 While taking the remediation steps suggested by a security recommendation, security administrators can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s are created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.
@@ -54,23 +58,23 @@ For both actions, you can customize the message the users see. For example, you
 
 ## How to block vulnerable applications
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Recommendations** .
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com), then navigate to **Endpoints** > **Vulnerability management** > **Recommendations** .
 
 2. Select a security recommendation to see a flyout with more information.
 
 3. Select **Request remediation**.
 
-4. Select whether you want to apply the remediation and mitigation to all device groups or only a few.
+4. Fill out the form. In the **Remediation options** dropdown, select which of the options you want to request. The options are software update, software uninstall, and attention required.
 
-5. Select the remediation options on the **Remediation request** page. The remediation options are software update, software uninstall, and attention required.
+5. Under Task management tools, tick the box for **Open a ticket in Intune (for AAD joined devices)** if you want to create a ticket in Microsoft Intune for the remediation request.
 
-6. Pick a **Remediation due date** and select **Next**.
+6. Pick a **Remediation due date**.
 
-7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it's immediately applied.
+7. Under **Priority**, select High, Medium, or Low.
 
-   :::image type="content" alt-text="Mitigation action" source="/defender/media/defender-vulnerability-management/mitigation-action.png" lightbox="/defender/media/defender-vulnerability-management/mitigation-action.png":::
+8. Under **Add notes**, you can add any additional information. Select **Next**.
 
-8. Review the selections you made and **Submit request**. On the final page, you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.
+9. Review the selections you made and then select **Submit**. On the final page, you can choose to edit the selections and export all remediation request to a .CSV file.
 
 > [!NOTE]
 > Beginning December 3, 2024, expect to see a reduction in the number of file indicators that are created by new application block policies. To reduce your current indicator usage, unblock any blocked applications, and create new block policies. 
@@ -95,19 +99,19 @@ If you try to block an application and it doesn't work, you might have reached t
 
 After you've submitted a request to block vulnerable applications, you can view remediation activities by following these steps:
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Remediation** > **Activities**.
+1. Navigate to **Endpoints** > **Vulnerability management** > **Remediation**.
 
-2. Filter the results by this mitigation type: `Block and/or Warn to view all activities pertaining to block or warn actions`.
+2. In the **Activities** tab, you can choose to filter the results by mitigation type. The options are **Block**, **Warn**, **None**, and **Workaround**. 
 
-3. An activity log displays. Keep in mind that it's an activity log, not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description, and the device remediation status:
+3. Select the relevant activity to see a flyout pane with details including the remediation description, mitigation description, and the device remediation status:
 
    :::image type="content" alt-text="Remediation and mitigation details" source="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png" lightbox="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png":::
 
 ## View blocked applications
 
 To view a list of blocked applications, follow these steps:
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Remediation** > **Blocked applications** tab:
+1. Navigate to **Endpoints** > **Vulnerability management** > **Remediation**, then select the **Blocked applications** tab:
 
    :::image type="content" alt-text="Blocked application" source="/defender/media/defender-vulnerability-management/blocked-applications.png" lightbox="/defender/media/defender-vulnerability-management/blocked-applications.png":::
 
 
@@ -25,6 +25,9 @@ ms.date: 03/04/2025
 - [Microsoft Defender XDR](/defender-xdr)
 - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
 
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
 This browser extension is a small software application that adds functionality to a web browser for use with Microsoft Defender Vulnerability Management. This extension provides your security team with visibility into installed browser extensions to help ensure the safe usage of extensions in your organization.
 
 The **Browser extensions** page displays a list of the browser extensions installed across different browsers in your organization. Browser extension details are collected across all the users that exist on a specific browser. For each installed extension, per browser, you can see the devices it's installed on, the users who installed it, and whether it's turned on or off on a device.