MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 41 additions & 24 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 41 additions & 24 deletions
diff --git a/‎defender-business/mdb-manage-devices.md‎
Lines changed: 33 additions & 27 deletions b/‎defender-business/mdb-manage-devices.md‎
Lines changed: 33 additions & 27 deletions
diff --git a/‎defender-business/media/m365-cc-sc-more-actions-icon.png‎
449 Bytes b/‎defender-business/media/m365-cc-sc-more-actions-icon.png‎
449 Bytes
diff --git a/‎defender-endpoint/api/exposed-apis-odata-samples.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/api/exposed-apis-odata-samples.md‎
Lines changed: 3 additions & 3 deletions
@@ -37,12 +37,6 @@ Direct Defender for Identity capabilities are supported on domain controllers on
 >
 > This issue is addressed in the out-of-band update [KB5037422](https://support.microsoft.com/en-gb/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3).
 
-### Defender for Endpoint onboarding
-
-Your domain controller must be onboarded to Microsoft Defender for Endpoint.
-
-For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
-
 ### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
@@ -55,12 +49,6 @@ For more information, see:
 - [Unified role-based access control RBAC](../role-groups.md#unified-role-based-access-control-rbac)
 - [Create a role to access and manage roles and permissions](/microsoft-365/security/defender/create-custom-rbac-roles#create-a-role-to-access-and-manage-roles-and-permissions)
 
-### Connectivity requirements
-
-Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
-
-For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-
 ## Configure Windows auditing
 
 Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
@@ -78,42 +66,58 @@ For example, the following command defines all settings for the domain, creates
 Set-MDIConfiguration -Mode Domain -Configuration All
 ```
 
-## Activate Defender for Identity capabilities
+## Onboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
 
-After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
+### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
+    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
     :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Connectivity requirements
+
+Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
+
+For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+### Onboard Defender for Identity capabilities 
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**
+2. Select Download onboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
+   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
-1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
-> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
 
 ## Test activated capabilities
 
-The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations show within five minutes.
-
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
@@ -163,7 +167,6 @@ IdentityQueryEvents
 
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
-
 ## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
@@ -214,17 +217,31 @@ Test remediation actions on a test user. For example:
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
-## Deactivate Defender for Identity capabilities on your domain controller
+## Offboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
+
+### Deactivate Defender for Identity capabilities on your domain controller 
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+1. Navigate to **Settings** > **Identities** > **Sensors**
 2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
     :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Offboard Defender for Identity capabilities on your domain controller 
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+
+1. Navigate to **Settings** > **Identities** > **Activation**
+2. Select Download offboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
 ## Next steps
 
 For more information, see [Manage and update Microsoft Defender for Identity sensors](../sensor-settings.md).
@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: how-to
 ms.service: defender-business
 ms.localizationpriority: medium
-ms.date: 02/28/2025
+ms.date: 05/21/2025
 ms.reviewer: nehabha
 f1.keywords: NOCSH
 ms.collection:
@@ -33,54 +33,60 @@ In Defender for Business, you can manage devices as follows:
 
 :::image type="content" source="/defender/media/defender-business/mdb-device-inventory.png" alt-text="Screenshot of device inventory":::
 
-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Assets** \> **Devices**. Or, to go directly to the **Device inventory** page, use <https://security.microsoft.com/machines>.
+2. On the **Device inventory** page, you can see the list of devices and view some information about them.
+3. Select a device from the list to open the details flyout for the device, where you can learn more about the status of the device and take actions.
 
-2. In the navigation pane, go to **Assets** > **Devices**.
-
-3. Select a device to open its flyout panel, where you can learn more about its status and take action.
-
-   If you don't have any devices listed yet, [Onboard devices to Defender for Business](mdb-onboard-devices.md)
+If no devices are listed, see [Onboard devices to Defender for Business](mdb-onboard-devices.md)
 
 ## Take action on a device that has threat detections
 
 :::image type="content" source="/defender/media/defender-business/mdb-selected-device.png" alt-text="Screenshot of a selected device with details and actions available.":::
 
-1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Assets** \> **Devices**. Or, to go directly to the **Device inventory** page, use <https://security.microsoft.com/machines>.
+2. On the **Device inventory** page, select a device from the list.
+3. In the details flyout that opens, select :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**, and then select an available action (for example, **Run antivirus scan** or **Initiate Automated Investigation**).
+
+## View the state of Microsoft Defender Antivirus
 
-2. Select a device to open its flyout panel, and review the information that is displayed.
+Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. To view the state of Microsoft Defender Antivirus, you have several options:
 
-3. Select the ellipsis (**...**) to open the actions menu.
+- Use the [Device health report](mdb-reports.md#device-health-report).
+- Use one of the methods described in [How to confirm the state of Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-compatibility#how-to-confirm-the-state-of-microsoft-defender-antivirus).
 
-4. Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**.
+Microsoft Defender Antivirus has one of the following states on devices:
 
-## View the state of Microsoft Defender Antivirus
+- **Active mode** (*recommended*): Microsoft Defender Antivirus is the exclusive antivirus app on a device onboarded to Defender for Business. Files are scanned and threats are remediated. Detection information is reported in the Microsoft Defender portal and in the Windows Security app on Windows devices.
+
+  We recommend active mode so devices onboarded to Defender for Business get all of the following types of protection:
 
-Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. When devices are onboarded to Defender for Business, Microsoft Defender Antivirus can have one of the following states:
+  - **Real-time protection**: Locates and stops malware from running on devices.
+  - **Cloud protection**: Works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.
+  - **Network protection**: Helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.
+  - **Web content filtering**: Regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.
+  - **Protection from potentially unwanted applications**: For example:
+    - Advertising software.
+    - Bundled software that offers to install other, unsigned software.
+    - Evasion software that attempts to evade security features.
 
-- Active mode
-- Passive mode
-- Disabled (or uninstalled) mode
+- **Passive mode**: A non-Microsoft antivirus/antimalware product is installed on a device onboarded to Defender for Business. Microsoft Defender Antivirus can detect threats and can receive security intelligence and platform updates. But Microsoft Defender Antivirus doesn't remediate threats.
 
-To view the state of Microsoft Defender Antivirus, you can choose from several options, such as:
+   You can automatically switch to active mode by uninstalling the non-Microsoft antivirus/antimalware product.
 
-- Reports, like the [Device health report](mdb-reports.md#device-health-report); or
-- One of the methods described in [How to confirm the state of Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-compatibility#how-to-confirm-the-state-of-microsoft-defender-antivirus).
+- **Disabled mode**: Also known as *uninstalled mode*. A non-Microsoft antivirus/antimalware product is installed on a device that isn't onboarded to Defender for Business. Microsoft Defender Antivirus isn't currently running on the device; it might be automatically disabled or manually disabled. Microsoft Defender Antivirus can't detect or remediate threats on the device.
 
-The following table describes each state and what it means.
+  You can switch to active mode by doing the following steps:
 
-|Microsoft Defender Antivirus state|What it means|
-|---|---|
-|**Active mode** <br/>(*recommended*)|Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft Defender portal and in the Windows Security app on a device running Windows.<br/><br/>We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection:  <br/>- **Real-time protection**, which locates and stops malware from running on devices. <br/> - **Cloud protection**, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.<br/> - **Network protection**, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.<br/> - **Web content filtering**, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.<br/> - **Protection from potentially unwanted applications**, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features.|
-|**Passive mode**|A non-Microsoft antivirus/antimalware product is installed on the device, and even though the device has been onboarded to Defender for Business, Microsoft Defender Antivirus can detect threats but doesn't remediate them. Devices with Microsoft Defender Antivirus can still receive security intelligence and platform updates. <br/><br/>You can switch Microsoft Defender Antivirus to active mode automatically by uninstalling the non-Microsoft antivirus/antimalware product.|
-|**Disabled mode**|A non-Microsoft antivirus/antimalware product is installed on the device, and the device hasn't been onboarded to Defender for Business. Whether Microsoft Defender Antivirus went into disabled mode automatically or was set manually, it's not currently running on the device. In this case, Microsoft Defender Antivirus neither detects nor remediates threats on the device.<br/><br/>You can switch Microsoft Defender Antivirus to active mode by uninstalling the non-Microsoft antivirus/antimalware solution and onboarding the device to Defender for Business.|
+  1. Uninstall the non-Microsoft antivirus/antimalware solution.
+  2. Onboard the device to Defender for Business.
 
 ## Onboard a device
 
-See [Onboard devices to Defender for Business](mdb-onboard-devices.md).
+For more information, see [Onboard devices to Defender for Business](mdb-onboard-devices.md).
 
 ## Offboard a device
 
-See [Offboarding a device](mdb-offboard-devices.md).
+For more information, see [Offboarding a device](mdb-offboard-devices.md).
 
 ## Next steps
 
 
@@ -1,12 +1,12 @@
 ---
 title: OData queries with Microsoft Defender for Endpoint
-ms.reviewer: 
+ms.reviewer: yongrhee
 description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint.
 ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 03/21/2025
+ms.date: 05/20/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -44,7 +44,7 @@ Not all properties are filterable.
 ## Properties that support $filter
 
 - [Alert](alerts.md): `alertCreationTime`, `lastUpdateTime`, `incidentId`,`InvestigationId`, `status`, `severity`, and `category`.
-- [Machine](machine.md): `ComputerDnsName`, `LastSeen`, `HealthStatus`, `OsPlatform`, `onboardingStatus`, `RiskScore`, and `RbacGroupId`.
+- [Machine](machine.md): `ComputerDnsName`, `LastSeen`, `exposureLevel`, `HealthStatus`, `OsPlatform`, `onboardingStatus`, `RiskScore`, and `RbacGroupId`.
 - [MachineAction](machineaction.md): `Status`, `MachineId`, `Type`, `Requestor`, and `CreationDateTimeUtc`.
 - [Indicator](ti-indicator.md): `indicatorValue`, `indicatorType`, `creationTimeDateTimeUtc`, `createdBy`, `severity`, and `action`.