mange incident settings - Yotam

mberdugo · mberdugo · commit 73f0e40e1c4c · 2025-11-03T18:35:14.000+02:00
diff --git a/defender-endpoint/ios-whatsnew.md b/defender-endpoint/ios-whatsnew.md
@@ -33,7 +33,7 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 | Build| 1.1.70230101|
 | -------- | -------- |
-| Release Date   |October 30, 2025|
+| Release Date   |October 28, 2025|
 
 **What's New**
 
diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: linux
 search.appverid: met150
-ms.date: 08/11/2025
+ms.date: 11/03/2025
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -492,27 +492,7 @@ Download the onboarding package from the [Microsoft Defender portal](https://sec
       
 ## Defender for Endpoint package external package dependencies
 
-The following external package dependencies exist for the `mdatp` package:
-
-- The mdatp RPM package requires `glibc >= 2.17`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`
-- For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`
-
-> [!NOTE]
-> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following other dependencies on the auditd package exist for mdatp:
-> - The mdatp RPM package requires `audit`, `semanage`.
-> - For DEBIAN, the mdatp package requires `auditd`.
-> - For Mariner, the mdatp package requires `audit`.
-> For version older than `101.25032.0000`:
-> - RPM package needs: `mde-netfilter`, `pcre`
-> - DEBIAN package needs: `mde-netfilter`, `libpcre3`
-> - The `mde-netfilter` package also has the following package dependencies:
-    - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`
-    - For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
-> Beginning with version `101.25042.0003`, uuid-runtime is no longer required as an external-dependency.
-
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.
+For information, see [Prerequisites for Microsoft Defender for Endpoint on Linux: External package dependency](./mde-linux-prerequisites.md#external-package-dependency).
 
 ## Troubleshoot installation issues
 
diff --git a/defender-endpoint/onboard-downlevel.md b/defender-endpoint/onboard-downlevel.md
@@ -91,9 +91,9 @@ Review the following details to verify minimum system requirements:
    > Due to the [deprecation of SHA-1 support by the MMA agent](/azure/azure-monitor/agents/agent-windows#sha-2-code-signing-support-requirement), the MMA agent needs to be version 10.20.18029 or newer.
 
 2. Obtain the workspace ID:
-   - In the Defender for Endpoint navigation pane, select **Settings > Device management > Onboarding**
-   - Select the operating system
-   - Copy the workspace ID and workspace key
+   - In the Defender for Endpoint navigation pane, select **Settings > Device management > Onboarding**.
+   - Select the operating system.
+   - Copy the workspace ID and workspace key.
 
 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
     - [Manually install the agent using setup](/previous-versions/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard#install-the-agent).
@@ -145,10 +145,10 @@ After completing the onboarding steps, you'll need to [Configure and update Syst
 Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.
 
 > [!NOTE]
-> Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.
+> Running Microsoft Defender Antivirus isn't required but it's recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.
 
 > [!NOTE]
-> As Microsoft Defender Antivirus is only supported for Windows 10 and Windows 11, step 1 does not apply when running Windows Server 2008 R2 SP1.
+> As Microsoft Defender Antivirus is only supported for Windows 10 and Windows 11, step 1 doesn't apply when running Windows Server 2008 R2 SP1.
 
 1. Run the following command to verify that Microsoft Defender Antivirus is installed:
 
@@ -181,16 +181,16 @@ Follow the steps in [Run a detection test on a newly onboarded device](run-detec
 
     For Windows Server 2008 R2 SP1, following updates are also required:
 
-    February 2018 Monthly Roll up - KB4074598 (Windows Server 2008 R2)
+    - February 2018 Monthly Roll up - KB4074598 (Windows Server 2008 R2)
 
-    [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4074598)<br>
-    Download updates for Windows Server 2008 R2 x64
+    - [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4074598)<br>
+    - Download updates for Windows Server 2008 R2 x64
 
-    .NET Framework 3.5.1 (KB315418)<br>
-    [For Windows Server 2008 R2 x64](/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2)
+    - .NET Framework 3.5.1 (KB315418)<br>
+    - [For Windows Server 2008 R2 x64](/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2)
 
     > [!NOTE]
-    > This article assumes you are using x64-based servers (MMA Agent .exe x64 New SHA-2 compliant version).
+    > This article assumes you're using x64-based servers (MMA Agent .exe x64 New SHA-2 compliant version).
 
 **Step 2: Create a file name DeployMMA.cmd (using notepad)**
 Add the following lines to the cmd file. Note that you'll need your WORKSPACE ID and KEY.
@@ -223,22 +223,22 @@ Create a new group policy specifically for onboarding devices such as "Microsoft
 
 - Create a Group Policy Folder named "c:\windows\MMA"
 
-     :::image type="content" source="media/grppolicyconfig1.png" alt-text="The folders location" lightbox="media/grppolicyconfig1.png":::
+     :::image type="content" source="media/grppolicyconfig1.png" alt-text="Screenshot of the folders location." lightbox="media/grppolicyconfig1.png":::
 
     **This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script.**
 
 - Create a Group Policy Files preference for each of the files stored in Net logon.
 
-     :::image type="content" source="media/grppolicyconfig2.png" alt-text="The group policy - 1" lightbox="media/grppolicyconfig2.png":::
+     :::image type="content" source="media/grppolicyconfig2.png" alt-text="Screenshot of the group policy - 1." lightbox="media/grppolicyconfig2.png":::
 
 It copies the files from DOMAIN\NETLOGON\MMA\filename to
 C:\windows\MMA\filename - **so the installation files are local to the server**:
 
-:::image type="content" source="media/deploymma.png" alt-text="The deploy mma cmd properties" lightbox="media/deploymma.png":::
+:::image type="content" source="media/deploymma.png" alt-text="Screenshot of the deploy mma cmd properties." lightbox="media/deploymma.png":::
 
 Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope:
 
-:::image type="content" source="media/targeteditor.png" alt-text="The target editor" lightbox="media/targeteditor.png":::
+:::image type="content" source="media/targeteditor.png" alt-text="Screenshot of the target editor." lightbox="media/targeteditor.png":::
 
 For Windows Server 2008 R2 you'll need (and it will only copy down) the following:
 
@@ -248,9 +248,9 @@ For Windows Server 2008 R2 you'll need (and it will only copy down) the followin
 
 Once this is done, you'll need to create a start-up script policy:
 
-:::image type="content" source="media/startupprops.png" alt-text="The start up properties" lightbox="media/startupprops.png":::
+:::image type="content" source="media/startupprops.png" alt-text="Screenshot of the start up properties." lightbox="media/startupprops.png":::
 
-The name of the file to run here is c:\windows\MMA\DeployMMA.cmd.
+The name of the file to run here's c:\windows\MMA\DeployMMA.cmd.
 Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded.
 
 You could also use an **immediate task** to run the deployMMA.cmd if you don't want to reboot all the servers.
@@ -259,21 +259,21 @@ This could be done in two phases. First create **the files and the folder in** G
 
 As the Script has an exit method and won't re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present.
 
-:::image type="content" source="media/schtask.png" alt-text="schedule task" lightbox="media/schtask.png":::
+:::image type="content" source="media/schtask.png" alt-text="Screenshot of the schedule task." lightbox="media/schtask.png":::
 
-:::image type="content" source="media/newtaskprops.png" alt-text="The new task properties" lightbox="media/newtaskprops.png":::
+:::image type="content" source="media/newtaskprops.png" alt-text="Screenshot of the new task properties." lightbox="media/newtaskprops.png":::
 
-:::image type="content" source="media/deploymmadowmload.png" alt-text="The deploy mma download properties" lightbox="media/deploymmadowmload.png":::
+:::image type="content" source="media/deploymmadowmload.png" alt-text="Screenshot of the deploy mma download properties." lightbox="media/deploymmadowmload.png":::
 
-:::image type="content" source="media/tasksch.png" alt-text="The task scheduler" lightbox="media/tasksch.png":::
+:::image type="content" source="media/tasksch.png" alt-text="Screenshot of the task scheduler." lightbox="media/tasksch.png":::
 
 As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below:
 For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
 
 - Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
 - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
 
-Please check the KBs are present before onboarding Windows Server 2008 R2. This process allows you to onboard all the servers if you don't have Configuration Manager managing Servers.
+Check the KBs are present before onboarding Windows Server 2008 R2. This process allows you to onboard all the servers if you don't have Configuration Manager managing Servers.
 
 ## Offboard endpoints
 
@@ -303,7 +303,7 @@ You can use either of the following methods:
 
 2. Select the Defender for Endpoint workspace, and click **Remove**.
 
-    :::image type="content" source="media/atp-mma.png" alt-text="The Workspaces pane" lightbox="media/atp-mma.png":::
+    :::image type="content" source="media/atp-mma.png" alt-text="Screenshot of the Workspaces pane." lightbox="media/atp-mma.png":::
 
 #### Run a PowerShell command to remove the configuration
 
diff --git a/defender-for-cloud-apps/network-requirements.md b/defender-for-cloud-apps/network-requirements.md
@@ -3,6 +3,8 @@ title: Network requirements
 description: This article describes the IP addresses and ports you need to open to work with Defender for Cloud Apps.
 ms.date: 04/06/2025
 ms.topic: reference
+author: AbbyMSFT
+ms.author: abbyweisberg
 ---
 
 # Network requirements
diff --git a/defender-for-identity/troubleshooting-known-issues.md b/defender-for-identity/troubleshooting-known-issues.md
@@ -291,7 +291,7 @@ The gMSA configured for this domain controller or AD FS / AD CS server doesn't h
 
 **Resolution:**
 
-Add the gMSA to the **Performance Monitor Users** group on the server.
+Add the gMSA to the **Performance Log Users** group on the server.
 
 ## Report downloads can't contain more than 300,000 entries
 
diff --git a/defender-vulnerability-management/tvm-microsoft-secure-score-devices.md b/defender-vulnerability-management/tvm-microsoft-secure-score-devices.md
@@ -40,6 +40,8 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom
 > [!TIP]
 > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md).
 
+Unmanaged devices (devices not enrolled in management solutions like Intune or Azure AD) do count towards your Secure Score but are typically marked as non-compliant for several security checks. These devices may lower your score, especially if they fail critical security assessments such as anti-malware status, patch management, and encryption requirements. It's recommended to bring these devices under management to improve both security posture and Secure Score.
+
 ## How it works
 
 > [!NOTE]
diff --git a/defender-xdr/security-copilot-m365d-incident-summary.md b/defender-xdr/security-copilot-m365d-incident-summary.md
@@ -85,10 +85,10 @@ To summarize an incident:
 
 ### Manage Copilot incident summaries settings (preview)
 
-By default, Copilot generates a summary for each incident, but you can change this setting to display incident summaries only in specific instances. You can choose to have summaries generated:
+By default, Copilot generates a summary for each incident the user opens, but you can change this setting to display incident summaries only in specific instances. You can choose to have summaries generated:
 
-- Always
-- Based  on the severity level of the incident
+- Always (for every incident opened)
+- Based on the severity level of the incident
 - On demand only
 
 To change the settings for Copilot incident summaries in Microsoft Sentinel, follow these steps:
@@ -105,11 +105,11 @@ To change the settings for Copilot incident summaries in Microsoft Sentinel, fol
 
 1. Select **Save**.
 
-- When you select **Incident severity**, an estimate of the number of incidents of each severity level reviewed per day is displayed, along with the estimated SCU cost.
+- When you select **Incident severity**, an estimate of the number of incidents of each severity level reviewed per day is displayed, along with the estimated SCU consumption.
 
     :::image type="content" source="./media/security-copilot-m365d-incident-summary/incident-severity.png" alt-text="Screenshot that shows the approximate number of incidents of each severity level.":::
 
-- Copilot saves generated incident summaries for a week. If you select an incident whose summary is in the cache, the summary is automatically redisplayed at no cost regardless of the setting.
+- Copilot saves generated incident summaries for a week. If you select an incident whose summary is in the cache, and the incident hasn't changed significantly, the summary is automatically redisplayed at no cost regardless of the setting.
 - To generate a summary on demand for an incident that's not automatically generated, select the **Generate** button.
 
     :::image type="content" source="media/security-copilot-m365d-incident-summary/generate-summary.png" alt-text="Screenshot that shows the Generate summary button on the incident page.":::
