Merge pull request #1875 from MicrosoftDocs/main

Publish main to live, Tuesday 6:30PM PST, 11/12

Author: Stacyrch140

defender-endpoint/defender-endpoint-trial-user-guide.md

@@ -7,7 +7,7 @@ ms.author: deniseb
 manager: deniseb 
 audience: ITPro
 ms.topic: how-to
-ms.date: 09/10/2024
+ms.date: 11/11/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -117,6 +117,8 @@ After you have onboarded devices, [run a detection test](run-detection-test.md).
 
 The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is a central location where you can view onboarded devices, security recommendations, detected threats, alerts, and more. To get started, see [Microsoft Defender portal](/defender-xdr/microsoft-365-defender-portal).   
 
+> [!IMPORTANT]
+> If you decide not to renew your trial or purchase a subscription, make sure to offboard devices before your trial expires.
 
 ## See also
 

defender-endpoint/device-discovery-faq.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/23/2021
+ms.date: 11/12/2024
 ---
 
 # Device discovery frequently asked questions
@@ -65,11 +65,54 @@ The discovery engine distinguishes between network events that are received in t
 ## What protocols are you capturing and analyzing?
 
 By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols:
-ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD
+
+- ARP
+- CDP
+- DHCP
+- DHCPv6
+- IP (headers)
+- LLDP
+- LLMNR
+- mDNS
+- MNDP
+- MSSQL
+- NBNS
+- SSDP
+- TCP (SYN headers)
+- UDP (headers)
+- WSD
 
 ## Which protocols do you use for active probing in Standard discovery?
 When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP
+
+- AFP
+- ARP
+- DHCP
+- FTP
+- HTTP
+- HTTPS
+- ICMP
+- IphoneSync
+- IPP
+- LDAP
+- LLMNR
+- mDNS
+- NBNS
+- NBSS
+- PJL
+- RDP
+- RPC
+- SIP
+- SLP
+- SMB
+- SMTP
+- SNMP
+- SSH
+- Telnet
+- UPNP
+- VNC
+- WinRM
+- WSD
 
 In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage.
 
@@ -88,9 +131,10 @@ As device discovery uses passive methods to discover devices in the network, any
 
 Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up to date (typically, devices probed no more than once in a three-week period)
 
-## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it, what should I do?
+## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it. What should I do?
 
 The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
+
 `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1`
 
 ## What is the amount of traffic being generated by the Standard discovery active probe?
@@ -101,13 +145,13 @@ Active probing can generate up to 50Kb of traffic between the onboarded device a
 
 You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
 
- The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
+The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
 
 ## Can I onboard unmanaged devices that were found?
 
 Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them.
 
-## I've noticed that unmanaged device health state is always "Active", why is that?
+## I've noticed that unmanaged device health state is always "Active". Why is that?
 
 Temporarily, unmanaged device health state is "Active" during the standard retention period of the device inventory, regardless of their actual state.
 
@@ -138,4 +182,5 @@ The device discovery capabilities have been built to only discover and identify
 ### You can exclude network lures from active probing
 
 Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode).
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]