Merge branch 'main' into diannegali-mdvmupdates

Author: diannegali

ATPDocs/deploy/activate-capabilities.md

@@ -88,12 +88,16 @@ Activate the Defender for Identity from the [Microsoft Defender portal](https://
 
    The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+    :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
 ## Onboarding Confirmation 
 
@@ -104,7 +108,7 @@ To confirm the sensor has been onboarded:
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
->  The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
 ## Test activated capabilities
 
@@ -126,7 +130,6 @@ In the Defender portal, select **Identities** > **Dashboard**, and review the de
 
 For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
-
 ### Confirm entity page details
 
 Confirm that entities, such as domain controllers, users, and groups, are populated as expected. 
@@ -139,7 +142,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-    If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -205,18 +208,20 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the **Options** menu, select any of the available remediation actions.
+2. From the **Options** menu, select any of the available remediation actions.
 
-1. Check Active Directory for the expected activity.
+3. Check Active Directory for the expected activity.
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings > Identities > Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+
+    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 

ATPDocs/deploy/media/activate-capabilities/1.jpg

@@ -55,7 +55,7 @@ sections:
         answer: |
           If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). This license is available as an add-on to Microsoft 365 Business Premium and the standalone version of Defender for Business. The Microsoft Defender for Business servers license is priced at $3 per server instance. You can either purchase a license for each onboarded server, or choose to offboard servers from Defender for Business.
 
-          If you have more than 60 servers, you'll need to get another license, such as [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). 
+          If you have more than 60 servers, you'll need to get another license, such as Microsoft Defender for Endpoint Server or Microsoft Defender for Servers Plan 1 or Plan 2. For more information, see [Onboard servers to Microsoft Defender for Endpoint](/defender-endpoint/onboard-server). 
 
       - question: What is the difference between Microsoft Defender for Business servers and Microsoft Defender for Servers Plan 1 and Plan 2?
         answer: |
@@ -95,9 +95,13 @@ sections:
 
       - question: How do I run custom reports with Defender for Business?
         answer: |
-          Defender for Business uses the Defender for Endpoint APIs. You can use the APIs and a Power BI connector to set up custom reporting. As an example scenario, you could schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email. 
+          Defender for Business uses the Defender for Endpoint APIs for all the capabilities that are available in Defender for Business. You can use the APIs with a reporting tool. As an example scenario, you can use a Power BI connector and schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email. 
           
-          For more information, see [API reference information](/defender-endpoint/api/exposed-apis-create-app-partners). Also see [Microsoft Defender for Business and Microsoft partner resources](mdb-partners.md).
+          For more information, see the following resources:
+          
+          - [Overview of management and APIs](/defender-endpoint/api/management-apis)
+          - [API reference information](/defender-endpoint/api/exposed-apis-create-app-partners)
+          - [Microsoft Defender for Business and Microsoft partner resources](mdb-partners.md)
 
       - question: I'm a Microsoft partner. Will I be able to manage multiple tenants from one control panel, or will I have to sign in to each tenant individually?
         answer: |
@@ -128,19 +132,41 @@ sections:
 
       - question: What are the differences between Defender for Business and Defender for Endpoint Plans 1 and 2?
         answer: |
-          Both Defender for Business and Defender for Endpoint provide strong threat protection capabilities for your company's devices (computers, phones, and tablets, which are also referred to as endpoints). The following table summarizes some key differences between these plans.
+          [Defender for Business](mdb-overview.md) is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. Defender for Business also features [simplified configuration](mdb-setup-configuration.md) and [device onboarding options](mdb-onboard-devices.md) that streamline the overall setup and configuration process.
 
-          | Subscription | Description |
-          |--|--|
-          | Defender for Business | [Defender for Business](mdb-overview.md) is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. <br/><br/>Defender for Business also features [simplified configuration](mdb-setup-configuration.md) and [device onboarding options](mdb-onboard-devices.md) that streamline the overall setup and configuration process. | 
-          | Defender for Endpoint | [Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. <br/><br/>Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities. <br/><br/>Defender for Endpoint Plan 2 extends Plan 1 capabilities with threat and vulnerability management, EDR, automated investigation & remediation, threat hunting, and six months of data retention. |
+          [Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. 
           
+          - Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities. 
+          - Defender for Endpoint Plan 2 extends Plan 1 capabilities with core vulnerability management capabilities, EDR, automated investigation & remediation, threat hunting, and six months of data retention. 
+          
+          The following table summarizes some differences between Defender for Business and Defender for Endpoint:
+
+          | Capabilities | Defender for Business | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 |
+          |---|---|---|---|
+          | Centralized management | ✔ | ✔ | ✔ |
+          | Simplified firewall and antivirus configuration for Windows | ✔ | | |
+          | Vulnerability management (core capabilities) | ✔ | | ✔ |
+          | Attack surface reduction | ✔ | ✔ | ✔ |
+          | Next-generation protection | ✔ | ✔ | ✔ |
+          | Endpoint detection & response (EDR) | ✔ <br/>(optimized) | | ✔ |
+          | Automatic attack disruption | ✔ | | ✔ |
+          | Automated investigation & remediation | ✔ | | ✔ |
+          | Monthly security summary reporting | ✔ | | ✔ |
+          | 30 days advanced hunting and six months of data retention in the device timeline | | | ✔ |
+          | Threat analytics | ✔<br/>(optimized) | | ✔ |
+          | Cross-platform support <br/>(Mac, iOS, Android)| ✔ | ✔ | ✔ |
+          | Windows Server and Linux Server <br/>(requires server licenses) | ✔  | ✔ | ✔ |
+          | Microsoft Threat Experts | | | ✔ |
+          | Microsoft 365 Lighthouse <br/>(optimized; for CSPs only) | ✔ | | |
+          | Microsoft Defender multi-tenant management | ✔ | ✔ | ✔ |
+          | APIs | ✔  | ✔ | ✔ |
+
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |
-          In general, mixed-licensing scenarios aren't supported in Defender for Business or Microsoft 365 Business Premium. 
-          
-          If you're using the standalone version of Defender for Business, and you add Defender for Endpoint Plan 2 to your tenant, your experience defaults to the Defender for Business experience. However, if you have enough Defender for Endpoint Plan 2 for all users in your tenant, you can contact support and change your experience to the Defender for Endpoint Plan 2 experience. In this case, you're no longer using your Defender for Business licenses, and the simplified configuration experience in Defender for Business changes to advanced settings in Defender for Endpoint. 
-          
+          Microsoft Defender for Business does not support mixed licensing, so a tenant with Defender for Business (which is included in Microsoft 365 Business Premium) along with Defender for Endpoint Plan 2 (which is included in Microsoft 365 E5 Security) defaults to the Defender for Business experience. 
+
+          For example, if you have 80 users licensed for Defender for Business (as part of a Microsoft 365 Business Premium subscription), and you add Microsoft 365 E5 Security for 30 of those users, the experience for all users defaults to Defender for Business. If you want to change that to the Defender for Endpoint Plan 2 experience, you should license all users for Defender for Endpoint Plan 2 (either through the standalone version of Defender for Endpoint Plan 2 or Microsoft 365 E5 Security), and then contact Microsoft Support to request the switch for your tenant.
+                    
           For more information, see [Manage your subscription settings](mdb-manage-subscription.md).
 
           For more information about licenses and product terms, see [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).

ATPDocs/deploy/media/activate-capabilities/2.jpg

@@ -7,7 +7,7 @@ ms.author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: overview
-ms.date: 12/30/2024
+ms.date: 03/05/2025
 ms.service: defender-business
 ms.localizationpriority: medium
 ms.reviewer: shlomiakirav, efratka
@@ -20,34 +20,11 @@ ms.collection:
 
 # Change your endpoint security subscription
 
-[Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. As your organization grows, you might be thinking about changing from Defender for Business to Defender for Endpoint. This article describes how to apply *either* Defender for Business *or* Defender for Endpoint Plan 2 features and capabilities across all your organization's devices. 
+[Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. 
 
-## Before you begin
+As your organization grows, you might be thinking about changing from Defender for Business to Defender for Endpoint. For example, if you have Defender for Business as part of a [Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-overview) subscription, and you add Microsoft 365 E5 Security to your subscription, you now have Defender for Endpoint Plan 2 capabilities while retaining the Defender for Business experience. 
 
-- You should have active trial or paid licenses for both Defender for Business and Defender for Endpoint Plan 2.
-
-- If you're using Defender for Business only, you can continue using it. In this case, no changes are needed. But if you're considering switching to Defender for Endpoint Plan 2, follow the guidance in this article.
-
-## View and manage your endpoint security subscription settings
-
-1. As an admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report opens and displays information about your organization's Defender for Business and Defender for Endpoint licenses.
-
-3. To change your subscription, under **Subscriptions applied to your devices**, select **Change subscription settings**.
-
-   > [!NOTE]
-   > If you don't see **Change subscription settings**, at least one of the following conditions is true:
-   > - You have Defender for Business or Defender for Endpoint (but not both)
-   > - You don't have enough Defender for Endpoint Plan 2 licenses for all users in your organization
-   > - The ability to change your subscription settings hasn't rolled out to your organization yet
-
-4. On the **Subscription settings** flyout, choose whether to use only Defender for Business or Defender for Endpoint Plan 2 across your organization's devices. Keep the following important points in mind before you save your changes:
-
-   - Make sure you have enough licenses for the subscription you're using for all users in your organization.
-   - If you select **Only Microsoft Defender for Endpoint Plan 2**, the simplified configuration experience for Defender for Business is replaced with advanced settings that you can configure in Defender for Endpoint. If this change is applied, you can't undo it.
-   - It can take up to six hours for your changes to be applied.
-   - Make sure to review your security policies and settings. To get help with Defender for Endpoint policies and settings, see [Configure Defender for Endpoint capabilities](/defender-endpoint/onboard-configure). To get help with Defender for Business policies and settings, see [Review and edit your security policies and settings in Defender for Business](mdb-configure-security-settings.md).
+This article describes how to view your current license state and, if needed, change your experience from Defender for Business to Defender for Endpoint.
 
 ## Review license usage
 
@@ -61,6 +38,14 @@ To reduce management overhead, there's no requirement for device-to-user mapping
 
 3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Business (or Defender for Endpoint).
 
+## Change your experience to Defender for Endpoint
+
+If you have the Defender for Business experience, and you want to change that to the Defender for Endpoint experience, [contact support](/microsoft-365/admin/get-help-support). You should have enough active trial or paid licenses to make the switch.
+
+After you switch to Defender for Endpoint, make sure to review your security policies and settings. To get help with Defender for Endpoint policies and settings, see [Configure Defender for Endpoint capabilities](/defender-endpoint/onboard-configure). 
+
+To get help with Defender for Business policies and settings, see [Review and edit your security policies and settings in Defender for Business](mdb-configure-security-settings.md).
+
 ## See also
 
 - [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).