Merge branch 'main' into v-mathavale-9112613

Author: denisebmsft

defender-vulnerability-management/defender-vulnerability-management-faq.md

@@ -54,7 +54,7 @@ For existing Defender for Endpoint Plan 2 customers who want to evaluate the exp
 For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers, see [Defender Vulnerability Management Standalone](get-defender-vulnerability-management.md#try-defender-vulnerability-management-standalone) to sign up for the free 90-day trial.
 
 > [!NOTE]
-> Customers need to have the global admin role defined in Microsoft Entra ID to onboard the trial.
+> Customers need to have the Global Administrator role assigned in Microsoft Entra ID to onboard the trial.
 
 ### How is the service provisioned/deployed?
 

defender-vulnerability-management/get-defender-vulnerability-management.md

@@ -4,13 +4,13 @@ description: Get Microsoft Defender Vulnerability Management
 search.appverid: MET150
 author: siosulli
 ms.author: siosulli
-manager: deniseb 
+manager: deniseb
 audience: Admin
 ms.topic: overview
 ms.service: defender-vuln-mgmt
 ms.localizationpriority: medium
-f1.keywords: NOCSH 
-ms.collection: 
+f1.keywords: NOCSH
+ms.collection:
 - m365-security
 - tier1
 - essentials-get-started
@@ -27,7 +27,6 @@ Microsoft Defender Vulnerability Management is available as a standalone and as
 > - US Government customers using GCC High, and DoD
 > - Microsoft Defender for Business customers
 
-
 - If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone)
 - If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on Trial](#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers)
 
@@ -36,11 +35,11 @@ Microsoft Defender Vulnerability Management is available as a standalone and as
 
 ## Required roles for starting the trial
 
-2. As a Global Administrator, you can start the trial or you can allow to users start the trial on behalf of your organization by enabling this option:
+As a Global Administrator, you can start the trial or you can allow to users start the trial on behalf of your organization by enabling this option:
 
-    1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > **User owned apps and services**
-    2. Check **Let users start trials on behalf of your organization**
-    3. Select **Save**
+1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > **User owned apps and services**
+2. Check **Let users start trials on behalf of your organization**
+3. Select **Save**
 
 :::image type="content" source="/defender/media/defender-vulnerability-management/mdvm-user-starttrial.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management user trial setting.":::
 

defender-vulnerability-management/trial-user-guide-defender-vulnerability-management.md

@@ -27,7 +27,6 @@ This user guide is a simple tool to help you setup and make the most of your fre
 > - US Government customers using GCC High, and DoD
 > - Microsoft Defender for Business customers
 
-
 ## What is Microsoft Defender Vulnerability Management?
 
 Reducing cyber risk requires a comprehensive risk-based vulnerability management program to identify, assess, remediate, and track important vulnerabilities across your most critical assets.
@@ -45,7 +44,7 @@ Watch the following video to learn more about Defender Vulnerability Management:
 ### Step 1: Set-up
 
 > [!NOTE]
-> Users need to have the global admin role defined in Microsoft Entra ID to onboard the trial. For more information, see [Required roles for starting the trial](get-defender-vulnerability-management.md#required-roles-for-starting-the-trial).
+> Users need to have the Global Administrator role assigned in Microsoft Entra ID to onboard the trial. For more information, see [Required roles for starting the trial](get-defender-vulnerability-management.md#required-roles-for-starting-the-trial).
 
 1. Check [permissions and pre-requisites.](tvm-prerequisites.md)
 2. The Microsoft Defender Vulnerability Management trial can be accessed in several ways:
@@ -59,8 +58,8 @@ Watch the following video to learn more about Defender Vulnerability Management:
 
     - Sign up through the [Microsoft Admin Center](https://admin.microsoft.com/#/catalog) (global admins only).
 
-> [!NOTE]
-> For more options on how to sign up to the trial, see [Sign up for Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md).
+   > [!NOTE]
+   > For more options on how to sign up to the trial, see [Sign up for Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md).
 
 3. Review the information about what's included in the trial, then select **Begin trial**. Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.
 
@@ -98,7 +97,7 @@ Built-in and agentless scanners continuously monitor and detect risk even when d
 
     You can also use the [set device value API](/defender-endpoint/api/set-device-value).
 
-###  Step 2: Track and mitigate remediation activities
+### Step 2: Track and mitigate remediation activities
 
 1. [**Request remediation**](tvm-remediation.md#request-remediation) - vulnerability management capabilities bridge the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Recommendation** pages to [Intune](/mem/intune/).
 2. [**View your remediation activities**](tvm-remediation.md#view-your-remediation-activities) - when you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked on a **Remediation** page, and a remediation ticket is created in Microsoft Intune.
@@ -109,15 +108,15 @@ Built-in and agentless scanners continuously monitor and detect risk even when d
     - [View blocked applications](tvm-block-vuln-apps.md#view-blocked-applications)
     - [Unblock applications](tvm-block-vuln-apps.md#unblock-applications)
 
-> [!NOTE]
-> When the trial ends blocked applications will be immediately unblocked whereas baseline profiles may be stored for a short additional time before being deleted.
+   > [!NOTE]
+   > When the trial ends blocked applications will be immediately unblocked whereas baseline profiles may be stored for a short additional time before being deleted.
 
 4. Use enhanced assessment capabilities such as [Network shares analysis](tvm-network-share-assessment.md) to protect vulnerable network shares. As network shares can be easily accessed by network users, small common weaknesses can make them vulnerable. These types of misconfigurations are commonly used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more. That's why we built a new category of configuration assessments in Defender Vulnerability Management that identify the common weaknesses that expose your endpoints to attack vectors in Windows network shares. This helps you:
     - Disallow offline access to shares
     - Remove shares from the root folder
     - Remove share write permission set to 'Everyone'
     - Set folder enumeration for shares
- 
+
 5. View and monitor your organization's devices using a [**Vulnerable devices report**](tvm-vulnerable-devices-report.md) that shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
 
 ### Step 3: Set up security baseline assessments

defender-vulnerability-management/tvm-block-vuln-apps.md

@@ -56,11 +56,15 @@ For both actions, you can customize the message the users see. For example, you
 - The Antimalware client version must be 4.18.1901.x or later.
 - The Engine version must be 1.1.16200.x or later.
 - Supported on Windows 10 devices, version 1809 or later, with the latest windows updates installed.
+- Supports Windows Server versions 2022, 2019, 2016, 2012 R2, and 2008 R2 SP1.
 
 ## Permissions
 
 - If you use [Role-based access control (RBAC)](/defender-endpoint/rbac), then you need to have the **Threat and vulnerability management - Application handling** permission assigned.
-- If you haven't turned on RBAC, you must have one of the following Microsoft Entra roles assigned: **security admin** or **global admin**. To learn more about permissions, go to [Basic permissions](/defender-endpoint/basic-permissions).
+- If you haven't turned on RBAC, you must have one of the following Microsoft Entra roles assigned: **Security Administrator** or **Global administrator**. To learn more about permissions, go to [Basic permissions](/defender-endpoint/basic-permissions).
+
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ## How to block vulnerable applications
 

defender-vulnerability-management/tvm-exception.md

@@ -73,7 +73,7 @@ A flyout appears where you can search and choose device groups you want included
 
 ### Global exceptions
 
-If you have global administrator permissions, you'll be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state changes from "active" to "full exception."
+If you have Global Administrator permissions, you'll be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state changes from "active" to "full exception."
 
 ![Showing global exception option.](/defender/media/defender-vulnerability-management/tvm-exception-global.png)
 
@@ -82,6 +82,9 @@ Some things to keep in mind:
 - If a recommendation is under global exception, then newly created exceptions for device groups is suspended until the global exception has expired or been canceled. After that point, the new device group exceptions will go into effect until they expire.
 - If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception is suspended until it expires or the global exception is canceled before it expires.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ### Justification
 
 Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.

defender-vulnerability-management/tvm-prerequisites.md

@@ -56,11 +56,14 @@ The same data security and privacy practices for Microsoft Defender for Endpoint
 
 To view the permissions options for vulnerability management:
 
-1. Log in to Microsoft Defender portal using account with a Security administrator or Global administrator role assigned.
+1. Log in to Microsoft Defender portal using account with a Security Administrator or Global Administrator role assigned.
 2. In the navigation pane, select **Settings > Endpoints > Roles**.
 
 For more information, see [Create and manage roles for role-based access control](/defender-endpoint/user-roles).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ### View data
 
 - **Security operations** - View all security operations data in the portal

defender-xdr/activate-defender-rbac.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 06/27/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -30,7 +30,7 @@ search.appverid: met150
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 
-For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md) you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
+For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
 
 <a name='activate-microsoft-365-defender-unified-rbac'></a>
 
@@ -43,6 +43,7 @@ The following steps guide you on how to activate the Microsoft Defender XDR Unif
 
 > [!IMPORTANT]
 > You must be a Global Administrator or Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ### Activate from the Permissions and roles page
 
@@ -53,26 +54,23 @@ You can activate your workloads in two ways from the Permissions and roles page:
 :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
 
 1. **Activate workloads**
-    - Select **Activate workloads** on the banner above the list of roles.
-    - This will bring you directly to the **Activate workloads** screen.
-    - You must activate each workload one by one. Once you select the individual toggle, you'll activate (or deactivate) that workload.
+   - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
+   - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-    :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png" alt-text="Screenshot of the choose workloads to activate screen" lightbox="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png":::
+   :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png" alt-text="Screenshot of the choose workloads to activate screen" lightbox="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png":::
 
-    > [!NOTE]
-    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
-
-    > [!NOTE]
-    > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
-
-    > [!NOTE]
-    > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
+   > [!NOTE]
+   > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
+   >
+   > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
+   > 
+   > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
 
 2. **Workload settings**
     - Select **Workload settings**.
     - This brings you to the Microsoft Defender XDR **Permission and roles** page.
     - Select the toggle for the workload you want to activate.
-    - Select Activate on the confirmation message.
+    - Select **Activate** on the confirmation message.
 
 You have now successfully activated (or deactivated) that workload.
 
@@ -83,11 +81,16 @@ You have now successfully activated (or deactivated) that workload.
 Follow these steps to activate your workloads directly in Microsoft Defender XDR settings:
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
+
 2. In the navigation pane, select **Settings**.
+
 3. Select **Microsoft Defender XDR**.
+
 4. Select **Permissions and roles**. This brings you to the **Activate workloads** page.
+
 5. Select the toggle for the workload you want to activate.
-6. Select Activate on the confirmation message.
+
+6. Select **Activate** on the confirmation message.
 
 You have now successfully activated (or deactivated) that workload.
 
@@ -100,11 +103,12 @@ You have now successfully activated (or deactivated) that workload.
 
 You can deactivate Microsoft Defender XDR Unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).
 
-To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status will be set to **Not Active**.
+To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status is set to **Not Active**.
 
-If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC won't be effective and you'll return to using the previous permissions model. This will remove any access that users assigned these roles have.
+If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC are no longer in effect, and the previous permissions model is used instead.
 
 ## Next steps
 
 - [Edit or delete roles](edit-delete-rbac-roles.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]