MicrosoftDocs
diff --git a/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/auto-investigation-action-center.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/auto-investigation-action-center.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/configure-device-discovery.md‎
Lines changed: 22 additions & 16 deletions b/‎defender-endpoint/configure-device-discovery.md‎
Lines changed: 22 additions & 16 deletions
diff --git a/‎defender-endpoint/configure-endpoints-gp.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/configure-endpoints-gp.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/configure-endpoints-sccm.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/configure-endpoints-sccm.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/configure-endpoints-script.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/configure-endpoints-script.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/configure-machines-asr.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/configure-machines-asr.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/configure-machines-onboarding.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/configure-machines-onboarding.md‎
Lines changed: 1 addition & 1 deletion
@@ -116,7 +116,7 @@ Whenever an attack surface reduction rule is triggered, a notification is displa
 
 Also, when certain attack surface reduction rules are triggered, alerts are generated.
 
-Notifications and any alerts that are generated can be viewed in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
+Notifications and any alerts that are generated can be viewed in the [Microsoft Defender portal](https://security.microsoft.com).
 
 For specific details about notification and alert functionality, see: [Per rule alert and notification details](attack-surface-reduction-rules-reference.md#per-asr-rule-alert-and-notification-details), in the article **Attack surface reduction rules reference**.
 
 
@@ -42,7 +42,7 @@ The following table compares the new, unified Action center to the previous Acti
 |---------|---------|
 |Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](/defender-office-365/mdo-about)|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only)   |
 |Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)         |Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)     |
-| In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, choose **Action center**. <p>:::image type="content" source="media/action-center-nav-new.png" alt-text="The navigation pane to the Action Center in the Microsoft Defender portal" lightbox="media/action-center-nav-new.png"::: | In the Microsoft Defender portal, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="media/action-center-nav-old.png" alt-text="An older version of the navigation pane to the Action Center in the Microsoft Defender portal" lightbox="media/action-center-nav-old.png":::  |
+| In the [Microsoft Defender portal](https://security.microsoft.com), choose **Action center**. <p>:::image type="content" source="media/action-center-nav-new.png" alt-text="The navigation pane to the Action Center in the Microsoft Defender portal" lightbox="media/action-center-nav-new.png"::: | In the Microsoft Defender portal, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="media/action-center-nav-old.png" alt-text="An older version of the navigation pane to the Action Center in the Microsoft Defender portal" lightbox="media/action-center-nav-old.png":::  |
 
 The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.
 
@@ -57,7 +57,7 @@ You can use the unified Action center if you have appropriate permissions and on
 
 To get to the unified Action center in the improved Microsoft Defender portal:
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> and sign in.
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.
 
 2. In the navigation pane, select **Action center**.
 
 
@@ -1,5 +1,5 @@
 ---
-title: Configure device discovery
+title: Configure device discovery in Defender for Endpoint
 description: Learn how to configure device discovery in Microsoft Defender XDR using basic or standard discovery
 ms.service: defender-endpoint
 ms.subservice: onboard
@@ -16,10 +16,10 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 06/19/2024
+ms.date: 02/24/2025
 ---
 
-# Configure device discovery
+# Configure device discovery in Defender for Endpoint
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -28,38 +28,39 @@ ms.date: 06/19/2024
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-Discovery can be configured to be on standard or basic mode. Use the standard option to actively find devices in your network, which will better guarantee the discovery of endpoints and provide richer device classification.
+Device discovery can be configured to be on standard or basic mode. Use the standard option to actively find devices in your network, which helps improve the discovery of endpoints and provide richer device classification.
 
-You can customize the list of devices that are used to perform standard discovery. You can either enable standard discovery on all the onboarded devices that also support this capability (currently - Windows 10 or later and Windows Server 2019 or later devices only) or select a subset or subsets of your devices by specifying their device tags.
+You can customize the list of devices that are used to perform standard discovery. You can either enable standard discovery on all the onboarded devices that also support this capability (currently for devices running Windows 10 and later, or Windows Server 2019 and later). Or, you can select a subset of devices by specifying their device tags.
 
 ## Set up device discovery
 
-To set up device discovery, take the following configuration steps in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+To set up device discovery, take the following configuration steps in the [Microsoft Defender portal](https://security.microsoft.com):
 
 Navigate to **Settings** > **Device discovery**
 
-1. If you want to configure Basic as the discovery mode to use on your onboarded devices, select **Basic** and then select **Save**
+1. If you want to configure Basic as the discovery mode to use on your onboarded devices, select **Basic** and then select **Save**.
+
 2. If you've selected to use Standard discovery, select which devices to use for active probing: all devices or on a subset by specifying their device tags, and then select **Save**
 
 > [!NOTE]
 > Standard discovery uses various PowerShell scripts to actively probe devices in the network. Those PowerShell scripts are Microsoft signed and are executed from the following location: `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps`. For example, `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\UnicastScannerV1.1.0.ps1`.
 
 ## Exclude devices from being actively probed in standard discovery
 
-If there are devices on your network that shouldn't be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode and can also be discovered through multicast discovery attempts. Those devices will be passively discovered but won't be actively probed.
+If there are devices on your network that shouldn't be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Devices can still be discovered using Basic discovery mode and can also be discovered through multicast discovery attempts. Those devices are passively discovered but won't be actively probed.
 
 You can configure the devices to exclude in the **Exclusions** page.
 
 ## Select networks to monitor
 
-Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a non-corporate network that can be ignored. To identify a network as corporate, we correlate network identifiers across all tenant's clients and if most devices in the organization report that they're connected to the same network name, with the same default gateway and DHCP server address, we assume that this is a corporate network. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
+Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a noncorporate network that can be ignored. To identify a network as corporate, we correlate network identifiers across all tenant's clients and if most devices in the organization report that they're connected to the same network name, with the same default gateway and DHCP server address, we assume that this is a corporate network. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor noncorporate networks where onboarded devices are found.
 
 You can configure where device discovery can be performed by specifying which networks to monitor. When a network is monitored, device discovery can be performed on it.
 
 A list of networks where device discovery can be performed is shown in the **Monitored networks** page.
 
 > [!NOTE]
-> The list shows networks that were identified as corporate networks. If less than 50 networks are identified as corporate networks, then list will show up to 50 networks with the most onboarded devices.
+> The list shows networks that were identified as corporate networks. If fewer than 50 networks are identified as corporate networks, then list shows up to 50 networks with the most onboarded devices.
 
 The list of monitored networks is sorted based upon the total number of devices seen on the network in the last seven days.
 
@@ -73,19 +74,23 @@ You can apply a filter to view any of the following network discovery states:
 
 You control where device discovery takes place. Monitored networks are where device discovery is performed and are typically corporate networks. You can also choose to ignore networks or select the initial discovery classification after modifying a state.
 
-Choosing the initial discovery classification means applying the default system-made network monitor state. Selecting the default system-made network monitor state means that networks that were identified to be corporate, are monitored, and ones identified as non-corporate, are ignored automatically.
+Choosing the initial discovery classification means to apply the default system-made network monitor state. Selecting the default system-made network monitor state means that networks that were identified to be corporate, are monitored, and ones identified as noncorporate, are ignored automatically.
 
 1. Select **Settings > Device discovery**.
+
 2. Select **Monitored networks**.
+
 3. View the list of networks.
+
 4. Select the three dots next to the network name.
+
 5. Choose whether you want to monitor, ignore, or use the initial discovery classification.
 
-    > [!WARNING]
-    >
-    > - Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
-    > - Choosing to ignore a network will stop monitoring and discovering devices in that network. Devices that were already discovered won't be removed from the inventory, but will no longer be updated, and details will be retained until the data retention period of the Defender for Endpoint expires.
-    > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so. <br>
+   > [!WARNING]
+   >
+   > - Choosing to monitor a network that wasn't identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and can, therefore, detect home or other noncorporate devices.
+   > - Choosing to ignore a network stops monitoring and discovering devices in that network. Devices that were already discovered won't be removed from the inventory, but are no longer updated, and details are retained until the data retention period of the Defender for Endpoint expires.
+   > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so. <br>
 
 6. Confirm that you want to make the change.
 
@@ -118,4 +123,5 @@ DeviceInfo
 
 - [Device discovery overview](device-discovery.md)
 - [Device discovery FAQs](device-discovery-faq.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -40,7 +40,7 @@ search.appverid: met150
 
 Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.
 
-1. Open the GP configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Open the GP configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
    1. In the navigation pane, select **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
 
@@ -183,7 +183,7 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 
-1. Get the offboarding package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
 
    1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
 
@@ -220,7 +220,7 @@ With Group Policy there isn't an option to monitor deployment of policies on the
 
 ## Monitor devices using the portal
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com).
 
 2. Select **Devices inventory**.
 
 
@@ -234,7 +234,7 @@ If you use Microsoft Configuration Manager current branch, see [Create an offboa
 
 ### Offboard devices using System Center 2012 R2 Configuration Manager
 
-1. Get the offboarding package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
     1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \>  **Offboarding**.
     1. Select Windows 10 or Windows 11 as the operating system.
     1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
 
@@ -38,7 +38,7 @@ Check out [Identify Defender for Endpoint architecture and deployment method](de
 
 ## Onboard devices
 
-1. Open the configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Open the configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
    1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
 
@@ -103,7 +103,7 @@ For security reasons, the package used to offboard devices expires seven days af
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time. Otherwise, unpredictable collisions might occur.
 
-1. Get the offboarding package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
 
    1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
 
@@ -138,7 +138,7 @@ Monitoring can also be done directly on the portal, or by using the different de
 
 ### Monitor devices using the portal
 
-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com).
 
 2. Select **Devices inventory**.
 
 
@@ -35,7 +35,7 @@ ms.date: 12/18/2023
 
 > *Attack surface management card*
 
-The *Attack surface management card* is an entry point to tools in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> that you can use to:
+The *Attack surface management card* is an entry point to tools in the [Microsoft Defender portal](https://security.microsoft.com) that you can use to:
 
 - Understand how ASR rules are currently deployed in your organization.
 - Review ASR detections and identify possible incorrect detections.
@@ -50,7 +50,7 @@ Select **Go to attack surface management** \> **Reports** \> **Attack surface re
 > [!NOTE]
 > To access Microsoft Defender portal, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Microsoft Entra ID. [Read about required licenses and permissions](/defender-xdr/prerequisites).
 
-For more information about ASR rule deployment in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, see [Optimize ASR rule deployment and detections](configure-machines-asr.md).
+For more information about ASR rule deployment in the [Microsoft Defender portal](https://security.microsoft.com), see [Optimize ASR rule deployment and detections](configure-machines-asr.md).
 
 ## Related topics
 
 
@@ -25,7 +25,7 @@ ms.date: 12/18/2023
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.