Merge pull request #3015 from MicrosoftDocs/main

publish main to live, 3:30 pm,  3/4/25

Author: rjagiewich

defender-endpoint/TOC.yml

@@ -232,6 +232,8 @@
             href: mac-resources.md
           - name: Troubleshoot Microsoft Defender for Endpoint on macOS
             items:
+            - name: Troubleshoot agent health issues
+              href: mac-health-status.md
             - name: Troubleshooting mode on macOS
               href: mac-troubleshoot-mode.md
             - name: Troubleshoot macOS installation issues

defender-endpoint/api/get-assessment-browser-extensions.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 01/22/2025
+ms.date: 03/04/2025
 ---
 
 # Export browser extensions assessment per device
@@ -24,14 +24,9 @@ ms.date: 01/22/2025
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](../microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](../microsoft-defender-endpoint.md)
-- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management)
-- [Microsoft Defender XDR](/defender-xdr)
-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us).
-
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](/defender-vulnerability-management/get-defender-vulnerability-management).
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management-capabilities#vulnerability-management-capabilities-for-endpoints) (add-on for Defender for Endpoint Plan 2 or the standalone version)
+- [Microsoft Defender for Cloud Plan 2](/azure/defender-for-cloud/defender-for-cloud-introduction)
 
 Returns all known installed browser extensions and their details for all devices, on a per-device basis.
 

defender-endpoint/api/get-live-response-result.md

@@ -69,6 +69,8 @@ Before you can initiate a session on a device, make sure you fulfill the followi
 
   - **Windows Server 2022**  
 
+  - **Windows Server 2025**
+
 ## Permissions
 
 One of the following permissions is required to call this API. To learn more,

defender-endpoint/api/initiate-autoir-investigation.md

@@ -49,12 +49,13 @@ Your organization must have Defender for Endpoint (see [Minimum requirements for
 
 Currently, AIR only supports the following OS versions:
 
-- Windows Server 2019
-- Windows Server 2022
-- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
-- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
-- Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
 - Windows 11
+- Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
+- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
+- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
+- Windows Server 2025
+- Windows Server 2022
+- Windows Server 2019
 
 ## Permissions
 

defender-endpoint/api/run-live-response.md

@@ -85,11 +85,15 @@ Before you can initiate a session on a device, make sure you fulfill the followi
     - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
 
   - **Windows Server 2022**
+
+- **Windows Server 2025**
+
   - **macOS** [(requires other configuration profiles)](../microsoft-defender-endpoint-mac.md)
       - 13 (Ventura)
       - 12 (Monterey)
       - 11 (Big Sur)
-  - **Linux**
+
+  - **Linux Server**
       - [Supported Linux server distributions and kernel versions](../microsoft-defender-endpoint-linux.md)
 
 ## Permissions

defender-endpoint/mac-health-status.md

@@ -0,0 +1,94 @@
+---
+title: Troubleshoot agent health issues with Defender for Endpoint on Mac
+description: Investigate macOS Defender agent health issues
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: lianx; joshbregman
+manager: deniseb
+ms.localizationpriority: medium
+audience: ITPro
+ms.service: defender-endpoint
+ms.subservice: macos
+ms.topic: troubleshooting-general
+ms.date: 03/04/2025
+ms.collection: 
+- m365-security
+- tier3
+- mde-macos
+search.appverid: met150
+---
+
+# Troubleshoot agent health issues
+
+## Defender for Endpoint health status
+
+The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions.
+
+| Value | Description |
+|---|---|
+|`app_version` | Displays Microsoft Defender application version.|
+|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.|
+|`cloud_automatic_sample_submission_consent`|Current sample submission level. <br/><br/>Can have one of the following values: <br/>- **None**: No suspicious samples are submitted to Microsoft.<br/>- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.<br/>- **All**: All suspicious samples are submitted to Microsoft.|
+|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`. <br/><br/>For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
+|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.|
+|`cloud_pin_certificate_thumbs`| pinned cloud certificate's thumbprints. |
+|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
+|`data_loss_prevention_status`|Status of data loss prevention. Can have one of the following values: <br/>- **unknown**<br/>- **unsupported_os**<br/>- **unsupported_os_version**<br/>- **disabled**<br/>- **unhealthy**<br/>- **dormant**<br/>- **ready**<br/>- **active**|
+|`definitions_status`|Status of antivirus definitions. Can have one of the following values: <br/>- **up_to_date**<br/>- **updating**<br/>- **unavailable**|
+|`definitions_updated`|Date and time of last antivirus definition update.|
+|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.|
+|`definitions_version`|Antivirus definition version.|
+|`edr_client_version`|Version of the EDR client running on the device.|
+|`device_control_enforcement_level`| Device control activation statue. |
+|`edr_configuration_version`|EDR configuration version.|
+|`edr_device_tags`|List of tags associated with the device.|
+|`edr_early_preview_enabled`|Setting of EDR early preview. Can have one of the following values: <br/>- **disabled** <br/>- **enabled**|
+|`edr_group_ids`|Group ID that the device is associated with.|
+|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.|
+|`engine_load_status`|Status of antivirus engine to determine whether it's running. <br/><br/>Can have one of the following values: <br/>- **Engine not loaded** - antivirus engine process is down<br/>- **Engine load succeeded** - antivirus engine process is up and running|
+|`engine_version`|Version of the antivirus engine.|
+|`healthy`|`True` if the product is healthy; otherwise, `false`.|
+|`health_issues`|Lists health issues if any.|
+|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.|
+|`log_level`|Current log level for the product. <br/><br/>Can have one of the following values: <br/>- **info** <br/>- **debug**|
+|`machine_guid`|Unique machine identifier used by the antivirus component.|
+|`network_protection_enforcement_level`|Mode of network protection. <br/><br/>Can have one of the following values: <br/>- **disabled** - all components associated with network protection are disabled<br/>- **block** - network protection prevents connection to malicious websites<br/>- **audit** - Check how blocks occur|
+|`network_protection_status`|Status of the network protection component (macOS only).<br/><br/> Can have one of the following values: <br/>- **starting** - Network protection is starting<br/>- **failed_to_start** - Network protection couldn't be started due to an error<br/>- **started** - Network protection is running on the device<br/>- **restarting** - Network protection is restarting<br/>- **stopping** - Network protection is stopping<br/>- **stopped** - Network protection isn't running|
+|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
+|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.|
+|`product_expiration`|Date and time when the current product version reaches end of support.|
+|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.|
+|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`. |
+|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.|
+|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).|
+|`tamper_protection`| Status of tamper protection feature. <br/><br/>Can have one of the following values: <br/>- **disabled** - tamper protection is off.<br/>- **audit** - tamper protection is on but doesn't block any event.<br/>- **block** - tamper protection is monitoring events and block them as needed. |
+|`troubleshooting_mode`| `True` if Defender for Endpoint is in troubleshooting mode; otherwise, `false`. see [Troubleshooting mode](mac-troubleshoot-mode.md).|
+
+## Component specific health
+
+You can get more detailed health information for different features in Defender for Endpoint by using the command, `mdatp health --details <feature>`. Here are some examples:
+
+```bash
+
+mdatp health --details permissions
+
+mdatp health --details system_extensions
+
+mdatp health --details edr
+
+mdatp health --details definitions
+
+mdatp health --details help
+
+```
+
+You can run `mdatp health --help` on recent versions to list all supported features.
+
+## See also
+
+- [What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md)
+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
+
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+
+

defender-endpoint/respond-file-alerts.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/26/2024
+ms.date: 03/04/2025
 ---
 
 # Take response actions on a file
@@ -200,7 +200,8 @@ This feature doesn't work if sample submission is turned off. If automatic sampl
 > - Antivirus engine version is 1.1.17300.4 or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 > - Cloud–based protection is enabled. See [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
 > - Sample submission is turned on
-> - Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019, or Windows Server 2022, or Windows 11
+> - Client devices must be running Windows 11 or Windows 10, version 1703 or later
+> - Server devices must be running Windows Server 2025, Windows Server 2022, Windows Server 2019, or Windows Server 2016
 
 ### Collect files
 

defender-endpoint/respond-machine-alerts.md

@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 12/03/2024
+ms.date: 03/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -211,7 +211,7 @@ Depending on the severity of the attack and the sensitivity of the device, you m
 **Important points to keep in mind**: 
 
 - Isolating devices from the network is supported for macOS for client version 101.98.84 and above. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)
-- Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2.
+- Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2.
 - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements). Ensure that the following prerequisites are enabled:
    - `iptables`
    - `ip6tables`

defender-endpoint/sandbox-mdav.md

@@ -44,8 +44,8 @@ Microsoft Defender Antivirus with its built-in antivirus capabilities can run wi
 Before you begin, you must meet the following requirements:
 
 - Microsoft Defender Antivirus (active mode)
-- Windows 11 or Windows 10 version 1703 or newer
-- Windows Server 2022 or Windows Server 2019 or Windows Server 2016 or newer
+- Windows client devices must be running Windows 11 or Windows 10 version 1703 or newer
+- Windows server devices must be running Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016
 
 ## Why run Microsoft Defender Antivirus in a sandbox?
 

defender-endpoint/switch-to-mde-phase-2.md

@@ -160,7 +160,7 @@ The specific exclusions to configure depend on which version of Windows your end
 | OS |Exclusions |
 |:--|:--|
 |[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe`|
-|[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |  On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](/defender-endpoint/configure-server-endpoints#functionality-in-the-modern-unified-solution), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
+|Windows Server 2025 <br/>[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |  On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](/defender-endpoint/configure-server-endpoints#functionality-in-the-modern-unified-solution), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
 |[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
 
 > [!IMPORTANT]