Merge pull request #3011 from MicrosoftDocs/main

Publish main to live 03/04/2025, 10:30 AM (late)

Author: garycentric

CloudAppSecurityDocs/tutorial-dlp.md

@@ -79,7 +79,6 @@ Our approach to information protection can be split into the following phases th
     1. Under **Inspection method**, choose and configure one of the following classification services:
 
         - **[Data Classification Services](dcs-inspection.md)**: Uses classification decisions you've made across Microsoft 365, Microsoft Purview Information Protection, and Defender for Cloud Apps to provide a unified labeling experience. This is the preferred content inspection method as it provides a consistent and unified experience across Microsoft products.
-        - **[Built-in DLP](content-inspection-built-in.md)**: Inspects files for sensitive information using our built-in DLP content inspection engine.
 
     1. For highly sensitive files, select **Create an alert** and choose the alerts you require, so that you're informed when there are files with unprotected sensitive information in your organization.
     1. Select **Create**.

defender-endpoint/aggregated-reporting.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/21/2025
+ms.date: 03/04/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 ---
@@ -38,8 +38,8 @@ The following requirements must be met before turning on aggregated reporting:
 
 Aggregated reporting supports the following:
 
-- Client version: Windows version 2411 and above
-- Operating systems: Windows 11 22H2, Windows Server 2022, Windows 11 Enterprise, Windows 10 20H2, 21H1, 21H2, Windows Server version 20H2, and Windows Server 2019
+- Client version: Windows version 2411 and later
+- Operating systems: Windows 11 22H2, Windows 11 Enterprise, Windows 10 20H2, 21H1, 21H2, Windows Server 2025, Windows Server 2022, Windows Server 2019, or Windows Server version 20H2
 
 ## Turn on aggregated reporting
 

defender-endpoint/analyzer-report.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 02/15/2024
+ms.date: 03/04/2025
 ---
 
 # Understand the client analyzer HTML report
@@ -28,28 +28,38 @@ The client analyzer produces a report in HTML format. Learn how to review the re
 
 Use the following example to understand the report.
 
- Example output from the analyzer on a machine onboarded to expired Org ID and failing to reach one of the required Microsoft Defender for Endpoint URLs:
+## Example output
+
+In this example, the [Defender for Endpoint Client Analyzer](/defender-endpoint/overview-client-analyzer) produced information about a device that was onboarded to an expired Org ID and failed to reach a required Defender for Endpoint URL:
 
 :::image type="content" source="media/147cbcf0f7b6f0ff65d200bf3e4674cb.png" alt-text="The MDE Client Analyzer Results page" lightbox="media/147cbcf0f7b6f0ff65d200bf3e4674cb.png":::
 
 - On top, the script version and script runtime are listed for reference
+
 - The **Device Information** section provides basic OS and device identifiers to uniquely identify the device on which the analyzer has run.
-- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected,  the color will change to red.
+
+- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color changes to red.
 
     :::image type="content" source="media/85f56004dc6bd1679c3d2c063e36cb80.png" alt-text="The Check Results Summary page" lightbox="media/85f56004dc6bd1679c3d2c063e36cb80.png":::
 
 - On **Check Results Summary**, you'll have an aggregated count for error,
     warning, or informational events detected by the analyzer.
+
 - On **Detailed Results**, you'll see a list (sorted by severity) with
     the results and the guidance based on the observations made by the analyzer.
 
 ## Open a support ticket to Microsoft and include the Analyzer results
 
-To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the
-`MDEClientAnalyzerResult.zip` file:
+To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the `MDEClientAnalyzerResult.zip` file:
 
 :::image type="content" source="media/508c189656c3deb3b239daf811e33741.png" alt-text="An attachment prompt" lightbox="media/508c189656c3deb3b239daf811e33741.png":::
 
 > [!NOTE]
 > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
+
+## See also
+
+- [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](overview-client-analyzer.md)
+
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/attack-surface-reduction.md

@@ -144,7 +144,7 @@ You can set attack surface reduction rules for devices that are running any of t
   > [!NOTE]
   > Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](/defender-endpoint/configure-server-endpoints#functionality-in-the-modern-unified-solution) for this feature to work.
 
-Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. The advanced capabilities - available only in Windows E5 - include:
+Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. The advanced capabilities - available only in Windows E5 - include:S
 
 - The monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md)
 - The reporting and configuration capabilities in [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender).

defender-endpoint/automated-investigations.md

@@ -6,7 +6,7 @@ ms.subservice: edr
 author: denisebmsft
 ms.author: deniseb
 ms.localizationpriority: medium
-ms.date: 08/31/2022
+ms.date: 03/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -86,6 +86,7 @@ Currently, AIR only supports the following OS versions:
 - Windows Server 2016 (Preview)
 - Windows Server 2019
 - Windows Server 2022
+- Windows Server 2025
 - Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
 - Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 - Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later

defender-endpoint/configure-endpoints-vdi.md

@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 02/04/2025
+ms.date: 03/04/2025
 ms.subservice: onboard
 ---
 
@@ -25,10 +25,13 @@ ms.subservice: onboard
 - [Microsoft Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 - Virtual desktop infrastructure (VDI) devices
-- Windows 10 and Windows 11
-- Windows Server 2019 and Windows Server 2022
+- Windows 11
+- Windows 10
 - Windows Server 2025 (beginning in February 2025 and rolling out over the next several weeks)
-- [Windows Server 2012 R2 and Windows Server 2016](/defender-endpoint/configure-server-endpoints#windows-server-2016-and-windows-server-2012-r2)
+- Windows Server 2022
+- Windows Server 2019
+- Windows Server 2016
+- Windows Server 2012 R2
 - Windows Server 2008
 
 

defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md

@@ -6,7 +6,7 @@ description: Windows Server includes automatic exclusions, based on server role.
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 02/04/2025
+ms.date: 03/04/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.topic: conceptual
@@ -327,7 +327,7 @@ The list of built-in exclusions in Windows is kept up to date as the threat land
 In Windows Server 2016 and later, the predefined exclusions delivered by [Security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and later. See [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) before defining your exclusion lists.
 
 > [!WARNING]
-> Opting out of automatic exclusions might adversely impact performance, or result in data corruption. Automatic server role exclusions are optimized for Windows Server 2016, Windows Server 2019, and Windows Server 2022 and later. 
+> Opting out of automatic exclusions might adversely impact performance, or result in data corruption. Automatic server role exclusions are optimized for Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. 
 
 
 Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL folders to another drive or path that is *different from the original path*, you must add exclusions manually. See [Configure the list of exclusions based on folder name or file extension](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension).

defender-endpoint/controlled-folders.md

@@ -1,9 +1,9 @@
 ---
 title: Protect important folders from ransomware from encrypting your files with controlled folder access
-description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
+description: Files in default folders can be protected from changes through malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 11/19/2024
+ms.date: 03/04/2025
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -37,10 +37,17 @@ search.appverid: met150
 
 ## What is controlled folder access?
 
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, 
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on:
+- Windows 11
+- Windows 10
+- Windows Server 2025
+- Windows Server 2022
+- Windows Server 2019
+- Windows Server 2016
+- Windows Server 2012 R2
 
 > [!NOTE]
-> Scripting engines like PowerShell are not trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
+> Scripting engines like PowerShell aren't trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
 
 Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
 
@@ -51,11 +58,11 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](micro
 
 Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
 
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders.
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the list are prevented from making any changes to files inside protected folders.
 
-Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
+Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that haven't ever displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
 
-Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions can be performed from the Microsoft Defender portal.
+Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Other actions can be performed in the Microsoft Defender portal.
 
 ## Why controlled folder access is important
 
@@ -69,7 +76,7 @@ You can use [audit mode](overview-attack-surface-reduction.md) to evaluate how c
 
 Windows system folders are protected by default, along with several other folders:
 
-The protected folders include common system folders (including boot sectors), and you can add additional folders. You can also allow apps to give them access to the protected folders.  The Windows systems folders that are protected by default are:
+The protected folders include common system folders (including boot sectors), and you can add other folders. You can also allow apps to give them access to the protected folders. The Windows systems folders that are protected by default are:
 
 - `c:\Users\<username>\Documents`
 - `c:\Users\Public\Documents`
@@ -86,7 +93,7 @@ Default folders appear in the user's profile, under **This PC**, as shown in the
 ![Protected Windows default systems folders](media/defaultfolders.png)
 
 > [!NOTE]
-> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
+> You can configure more folders as protected, but you can't remove the Windows system folders that are protected by default.
 
 ## Requirements for controlled folder access
 
@@ -96,7 +103,7 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti
 
 ## Review controlled folder access events in the Microsoft Defender portal
 
-Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md) in the Microsoft Defender portal; see [Microsoft Defender for Endpoint in Microsoft Defender XDR](/defender-xdr/microsoft-365-security-center-mde).
+Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md) in the Microsoft Defender portal. For more information, see [Microsoft Defender for Endpoint in Microsoft Defender XDR](/defender-xdr/microsoft-365-security-center-mde).
 
 You can query Microsoft Defender for Endpoint data by using [Advanced hunting](/defender-xdr/advanced-hunting-overview). If you're using [audit mode](overview-attack-surface-reduction.md), you can use [advanced hunting](/defender-xdr/advanced-hunting-overview) to see how controlled folder access settings would affect your environment if they were enabled.
 
@@ -141,16 +148,16 @@ You can use the Windows Security app to view the list of folders that are protec
 
 3. Under **Ransomware protection**, select **Manage ransomware protection**.
 
-4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
+4. If controlled folder access is turned off, you need to turn it on. Select **protected folders**.
 
 5. Do one of the following steps:
 
    - To add a folder, select **+ Add a protected folder**.
    - To remove a folder, select it, and then select **Remove**.
 
    > [!IMPORTANT]
-   > Do not add local share paths (loopbacks) as protected folders. Use the local path instead. For example, if you have shared `C:\demo` as `\\mycomputer\demo`, do not add `\\mycomputer\demo` to the list of protected folders. Instead add `C:\demo`.
+   > Don't add local share paths (loopbacks) as protected folders. Use the local path instead. For example, if you have shared `C:\demo` as `\\mycomputer\demo`, don't add `\\mycomputer\demo` to the list of protected folders. Instead add `C:\demo`.
 
-[Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
+[Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you can't remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/customize-controlled-folders.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 10/17/2024
+ms.date: 03/04/2025
 ---
 
 # Customize controlled folder access
@@ -33,7 +33,13 @@ ms.date: 10/17/2024
 > [!TIP]
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients.
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on:
+
+- Windows 11
+- Windows 10
+- Windows Server 2025
+- Windows Server 2022
+- Windows Server 2019
 
 > [!IMPORTANT]
 > Controlled folder access is not supported on Linux servers.

defender-endpoint/defender-endpoint-demonstration-app-reputation.md

@@ -30,10 +30,16 @@ Test how Microsoft Defender for Endpoint SmartScreen helps you identify phishing
 
 ## Scenario requirements and setup
 
-- Windows 11 or Windows 10
-- Windows Server 2022 or Windows Server 2019 or Windows Server 2016 or Windows Server 2012 R2 or Windows Server 2008 R2 
-- Microsoft Edge or Internet Explorer browser required
-- To turn ON/OFF, go to **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **App & browser control** > **Check apps and files**
+- The following versions of Windows are supported:
+   - Windows 11
+   - Windows 10
+   - Windows Server 2025
+   - Windows Server 2022
+   - Windows Server 2019
+   - Windows Server 2016
+   - Windows Server 2012 R2
+   - Windows Server 2008 R2 
+- Microsoft Edge or Internet Explorer browser required. 
 
 ## Scenario Demos