MicrosoftDocs
diff --git a/‎defender-endpoint/configure-endpoints-vdi.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/configure-endpoints-vdi.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/linux-preferences.md‎
Lines changed: 17 additions & 2 deletions b/‎defender-endpoint/linux-preferences.md‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎defender-endpoint/network-devices.md‎
Lines changed: 30 additions & 28 deletions b/‎defender-endpoint/network-devices.md‎
Lines changed: 30 additions & 28 deletions
@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 03/04/2025
+ms.date: 03/11/2025
 ms.subservice: onboard
 ---
 
@@ -55,8 +55,8 @@ Defender for Endpoint supports non-persistent VDI session onboarding. There migh
 - In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft Defender portal as either single entries for each VDI instance or multiple entries for each device. 
 
    - Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal. In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
-
    - Multiple entries for each device - one for each VDI instance.
+   - For all VDI machines, when they onboard for the first time, there's a client delay of approximately 3-4 hours.
 
 > [!IMPORTANT]
 > If you're deploying non-persistent VDIs through cloning technology, make sure that your internal template VMs are not onboarded to Defender for Endpoint. This recommendation is to avoid cloned VMs from being onboarded with the same senseGuid as your template VMs, which could prevent VMs from showing up as new entries in the Devices list. 
 
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 03/05/2025
+ms.date: 03/11/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -662,6 +662,20 @@ Determines whether module load events (file open events on shared libraries) are
 |**Possible values**|disabled (default) <p> enabled|*n/a*|
 |**Comments**|Available in Defender for Endpoint version `101.68.80` or later.||
 
+#### Remediate Infected File feature
+
+Determines whether infected processes that open or load any infected file will get remediated or not.
+
+> [!NOTE]
+> When enabled the processes that open or load any infected file will be remediated in RTP mode. These processes will not appear in the threat list as these are not malicious but are only being terminated because they were loading the threat file in memory. 
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|remediateInfectedFile|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24122.0001` or later.||
+
 #### Supplementary sensor configurations
 
 The following settings can be used to configure certain advanced supplementary sensor features.
@@ -963,7 +977,8 @@ The following configuration profile contains entries for all settings described
         "sendLowfiEvents":"disabled"
       },
       "ebpfSupplementaryEventProvider":"enabled",
-      "offlineDefinitionUpdateVerifySig": "disabled"
+      "offlineDefinitionUpdateVerifySig": "disabled",
+      "remediateInfectedFile": "enabled"
    },
    "networkProtection":{
       "enforcementLevel":"disabled",
 
@@ -14,7 +14,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/02/2025
+ms.date: 03/11/2025
 ---
 
 # Network device discovery and vulnerability management
@@ -23,15 +23,14 @@ ms.date: 01/02/2025
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md)
 - [Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender XDR](/defender-xdr)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 > [!NOTE]
-> The [Network device discovery and vulnerability assessments](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548) Blog \(published 04-13-2021\) provides insights into the new **Network device discovery** capabilities in Defender for Endpoint. This article provides an overview of the challenge that **Network device discovery** is designed to address, and detailed information about how get started using these new capabilities.
+> The [Tech Community Blog: Network device discovery and vulnerability assessments](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548) (published 04-13-2021) provides insights into the new **Network device discovery** capabilities in Defender for Endpoint. This article provides an overview of the challenge that **Network device discovery** is designed to address, and detailed information about how to get started using these new capabilities.
 
 Network discovery capabilities are available in the **Device inventory** section of the [Microsoft Defender portal](https://security.microsoft.com) and Microsoft Defender XDR consoles.
 
@@ -43,6 +42,9 @@ Once the network devices are discovered and classified, security administrators
 
 Network devices aren't managed as standard endpoints since Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan obtains the necessary information from the devices. Depending on the network topology and characteristics, a single device or a few devices onboarded to Microsoft Defender for Endpoint performs authenticated scans of network devices using SNMP (read-only).
 
+> [!NOTE]
+> Authenticated scans support `SNMPv2` and `SNMPv3`.
+
 There are two types of devices to keep in mind:
 
 - **Scanning device**: A device that's already onboarded that you use to scan the network devices.
@@ -85,9 +87,9 @@ Your first step is to select a device that performs the authenticated network sc
 
 8. To allow the scanner to be authenticated and work properly, it's essential that you add the following domains/URLs:
 
-    - \*.security.microsoft.com
-    - login.microsoftonline.com
-    - \*.blob.core.windows.net/networkscannerstable/\*
+    - `*.security.microsoft.com`
+    - `login.microsoftonline.com`
+    - `*.blob.core.windows.net/networkscannerstable/*`
 
     > [!NOTE]
     > Not all URLs are specified in the Defender for Endpoint documented list of allowed data collection.
@@ -96,7 +98,7 @@ Your first step is to select a device that performs the authenticated network sc
 
 To configure scan jobs, the following user permission option is required: **Manage security settings in Defender**. You can find the permission by going to **Settings** \> **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md).
 
-## Windows version pre-requisite for the scanner
+## Windows version prerequisite for the scanner
 
 The scanner is supported on Windows 10, version 1903 and Windows Server, version 1903 and later. For more information, see [Windows 10, version 1903 and Windows Server, version 1903](https://support.microsoft.com/topic/windows-10-update-history-e6058e7c-4116-38f1-b984-4fcacfba5e5d).
 
@@ -109,7 +111,7 @@ The scanner is supported on Windows 10, version 1903 and Windows Server, version
 
 2. Download the scanner and install it on the designated Defender for Endpoint scanning device.
 
-     :::image type="content" source="/defender/media/defender-endpoint/network-authenticated-scan-new.png" alt-text="Screenshot of the add new authenticated scan screen" lightbox="/defender/media/defender-endpoint/network-authenticated-scan-new.png":::
+   :::image type="content" source="/defender/media/defender-endpoint/network-authenticated-scan-new.png" alt-text="Screenshot of the add new authenticated scan screen." lightbox="/defender/media/defender-endpoint/network-authenticated-scan-new.png":::
 
 ## Scanner installation & registration
 
@@ -122,8 +124,8 @@ To complete the scanner registration process:
 
 1. Copy and follow the URL that appears on the command line and use the provided installation code to complete the registration process.
 
-    > [!NOTE]
-    > You may need to change Command Prompt settings to be able to copy the URL.
+   > [!NOTE]
+   > You may need to change Command Prompt settings to be able to copy the URL.
 
 2. Enter the code and sign in using a Microsoft account that has the Defender for Endpoint permission called "Manage security settings in Defender."
 
@@ -141,7 +143,7 @@ If there's a difference between the two versions, the update process determines
 
 2. Select **Add new scan** and choose **Network device authenticated scan** and select **Next**.
 
-     :::image type="content" source="/defender/media/defender-endpoint/network-authenticated-scan.png" alt-text="Screenshot of the add new network device authenticated scan screen" lightbox="/defender/media/defender-endpoint/network-authenticated-scan.png":::
+   :::image type="content" source="/defender/media/defender-endpoint/network-authenticated-scan.png" alt-text="Screenshot of the add new network device authenticated scan screen." lightbox="/defender/media/defender-endpoint/network-authenticated-scan.png":::
 
 3. Choose whether to **Activate scan**.
 
@@ -151,17 +153,17 @@ If there's a difference between the two versions, the update process determines
 
 6. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file overrides any manually added addresses.
 
-7. Select the **Scan interval:** By default, the scan runs every four hours, you can change the scan interval or have it only run once, by selecting **Don't repeat**.
+7. Select the **Scan interval:** By default, the scan runs every four hours. You can change the scan interval or have it only run once, by selecting **Don't repeat**.
 
 8. Choose your **Authentication method**.
 
    You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose, as described in the following table:
 
    |Authentication Method|Azure KeyVault secret value|
    |:----|:----:|
-   |AuthPriv|Username;AuthPassword;PrivPassword|
-   |AuthNoPriv|Username;AuthPassword|
-   |CommunityString |CommunityString|
+   |`AuthPriv`|Username;AuthPassword;PrivPassword|
+   |`AuthNoPriv`|Username;AuthPassword|
+   |`CommunityString` |CommunityString|
 
 9. Select **Next** to run or skip the test scan.
 
@@ -172,38 +174,38 @@ If there's a difference between the two versions, the update process determines
 
 ### Scan and add network devices
 
-During the set-up process, you can perform a one time test scan to verify that:
+During the setup process, you can perform a one time test scan to verify that:
 
 - There's connectivity between the Defender for Endpoint scanning device and the configured target network devices.
 - The configured SNMP credentials are correct.
 
-Each scanning device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you'll be able to scan 1,400 IP additional addresses from other subnets on the same scanning device.
+Each scanning device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you can scan 1,400 IP more addresses from other subnets on the same scanning device.
 
 If there are multiple IP address ranges/subnets to scan, the test scan results take several minutes to show up. A test scan is available for up to 1,024 addresses.
 
-Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses are added to the network device authenticated scan (regardless of the device's response). The scan results can also be exported.
+Once the results show up, you can choose which devices to include in the periodic scan. If you skip viewing the scan results, all configured IP addresses are added to the network device authenticated scan (regardless of the device's response). The scan results can also be exported.
 
 ## Device inventory
 
-Newly discovered devices are shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding a scanning job until the devices are updated.
+Newly discovered devices are shown under the new **Network devices** tab in the **Device inventory** page. It might take up to two hours after adding a scanning job until the devices are updated.
 
-:::image type="content" source="/defender/media/defender-endpoint/network-devices-inventory.png" alt-text="Screenshot of the network device tab in the device inventory" lightbox="/defender/media/defender-endpoint/network-devices-inventory.png":::
+:::image type="content" source="/defender/media/defender-endpoint/network-devices-inventory.png" alt-text="Screenshot of the network device tab in the device inventory." lightbox="/defender/media/defender-endpoint/network-devices-inventory.png":::
 
 ## Troubleshooting
 
-### Scanner installation has failed
+### Scanner installation failed
 
 Verify that the required URLs are added to the allowed domains in your firewall settings. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
 
-### The Microsoft.com/devicelogin web page did not show up
+### The Microsoft.com/devicelogin web page didn't show up
 
 Verify that the required URLs are added to the allowed domains in your firewall. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
 
-### Network devices are not shown in the device inventory after several hours
+### Network devices aren't shown in the device inventory after several hours
 
 The scan results should be updated a few hours after the initial scan that took place after completing the network device authenticated scan configuration.
 
-If devices are still not shown, verify that the service 'MdatpNetworkScanService' is running on your devices being scanned, on which you installed the scanner, and perform a "Run scan" in the relevant network device authenticated scan configuration.
+If devices are still not shown, verify that the service `MdatpNetworkScanService` is running on your devices being scanned, on which you installed the scanner, and perform a "Run scan" in the relevant network device authenticated scan configuration.
 
 If you still don't get results after 5 minutes, restart the service.
 
@@ -215,9 +217,9 @@ Validate that the scanner is running properly. Then go to the scan definition an
 
 As the authenticated scanner currently uses an encryption algorithm that isn't compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.
 
-To allow algorithms that aren't compliant with FIPS, set the following value in the registry for the devices where the scanner will run:
+To allow algorithms that aren't compliant with FIPS, set the following value in the registry for the devices where the scanner runs:
 
-Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named **Enabled** and value of **0x0**
+Computer`\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy` with a DWORD value named `Enabled` and value of `0x0`.
 
 FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.
 
@@ -242,4 +244,4 @@ Change command-line settings on your device to allow copying and change text siz
 - [Device inventory](machines-view-overview.md)
 - [Windows authenticated scan](/defender-vulnerability-management/windows-authenticated-scan)
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]