MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 6 additions & 51 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 6 additions & 51 deletions
diff --git a/‎defender-endpoint/api/device-health-api-methods-properties.md‎
Lines changed: 35 additions & 35 deletions b/‎defender-endpoint/api/device-health-api-methods-properties.md‎
Lines changed: 35 additions & 35 deletions
@@ -7,13 +7,12 @@ ms.topic: how-to
 
 # Activate Microsoft Defender for Identity capabilities directly on a domain controller
 
-Microsoft Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
 
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availablility for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
->
+> Information in this article relates to a feature that is currently in limited availability for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
 
 ## Prerequisites
 
@@ -122,7 +121,7 @@ In the Defender portal, check for the following details:
 
 - **Device entities**: Select **Assets > Devices**, and select the machine for your new sensor. Defender for Identity events are shown on the device timeline.
 
-- **User entities**. Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
+- **User entities**: Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
@@ -148,16 +147,7 @@ IdentityQueryEvents
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
 
-### Test Identity Security Posture Management (ISPM) recommendations
-
-Defender for Identity capabilities on domain controllers support the following ISPM assessments:
-
-- [**Install Defender for Identity Sensor on all Domain Controllers**](../security-assessment-unmonitored-domain-controller.md)
-- [**Microsoft LAPS usage**](../security-assessment-laps.md)
-- [**Resolve unsecure domain configurations**](../security-assessment-unsecure-domain-configurations.md)
-- **Set a honeytoken account**
-- [**Unsecure account attributes**](../security-assessment-unsecure-account-attributes.md)
-- [**Unsecure SID History attributes**](../security-assessment-unsecure-sid-history-attribute.md)
+## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
 
@@ -187,37 +177,6 @@ For more information, see [Microsoft Defender for Identity's security posture as
 
 ### Test alert functionality
 
-The following alerts are supported by Defender for Identity capabilities on domain controllers:
-
-:::row:::
-   :::column span="":::
-    - [Account enumeration reconnaissance](../reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-external-id-2003)
-    - [Active Directory attributes Reconnaissance using LDAP](../reconnaissance-discovery-alerts.md#active-directory-attributes-reconnaissance-ldap-external-id-2210)
-    - [Exchange Server Remote Code Execution (CVE-2021-26855)](../lateral-movement-alerts.md#exchange-server-remote-code-execution-cve-2021-26855-external-id-2414)
-    - [Honeytoken user attributes modified](../persistence-privilege-escalation-alerts.md#honeytoken-user-attributes-modified-external-id-2427)
-    - [Honeytoken was queried via LDAP](../reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-ldap-external-id-2429)
-    - [Honeytoken authentication activity](../credential-access-alerts.md#honeytoken-authentication-activity-external-id-2014)
-    - [Honeytoken group membership changed](../persistence-privilege-escalation-alerts.md#honeytoken-group-membership-changed-external-id-2428) 
-    - [Remote code execution attempt](../other-alerts.md#remote-code-execution-attempt-external-id-2019)
-    - [Security principal reconnaissance (LDAP)](../credential-access-alerts.md#security-principal-reconnaissance-ldap-external-id-2038)
-    - [Suspicious service creation](../other-alerts.md#suspicious-service-creation-external-id-2026)
-    - [Suspected NTLM relay attack (Exchange account)](../lateral-movement-alerts.md#suspected-ntlm-relay-attack-exchange-account-external-id-2037)
-   :::column-end:::
-   :::column span="":::
-    - [Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-the-resource-based-constrained-delegation-attribute-by-a-machine-account--external-id-2423)
-    - [Suspicious additions to sensitive groups](../persistence-privilege-escalation-alerts.md#suspicious-additions-to-sensitive-groups-external-id-2024)
-    - [Suspicious modification of a dNSHostName attribute (CVE-2022-26923)](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-a-dnshostname-attribute-cve-2022-26923--external-id-2421)
-    - [Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287)](../credential-access-alerts.md#suspicious-modification-of-a-samnameaccount-attribute-cve-2021-42278-and-cve-2021-42287-exploitation-external-id-2419)
-    - [Suspected DCShadow attack (domain controller promotion)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-promotion-external-id-2028)
-    - [Suspected DFSCoerce attack using Distributed File System Protocol](../credential-access-alerts.md#suspected-dfscoerce-attack-using-distributed-file-system-protocol-external-id-2426) 
-    - [Suspected DCShadow attack (domain controller replication request)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-replication-request-external-id-2029)
-    - [Suspected account takeover using shadow credentials](../credential-access-alerts.md#suspected-account-takeover-using-shadow-credentials-external-id-2431)
-    - [Suspected SID-History injection](../persistence-privilege-escalation-alerts.md#suspected-sid-history-injection-external-id-1106)
-    - [Suspected AD FS DKM key read](../credential-access-alerts.md#suspected-ad-fs-dkm-key-read-external-id-2413)
-   :::column-end:::
-:::row-end:::
-
-
 Test alert functionality by simulating risky activity in a test environment. For example:
 
 - Tag an account as a honeytoken account, and then try signing in to the honeytoken account against the activated domain controller.
@@ -232,16 +191,12 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the options menu, select any or all of the following, one at a time:
-
-    - **Disable user in AD**
-    - **Enable user in AD**
-    - **Force password reset**
+1. From the **Options** menu, select any of the available remediation actions.
 
 1. Check Active Directory for the expected activity.
 
 > [!NOTE]
-> The current version does not collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
+> The current version doesn't collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
 
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: deniseb 
 author: denisebmsft
 ms.localizationpriority: medium 
-ms.date: 06/25/2024
+ms.date: 02/19/2025
 manager: deniseb 
 ms.reviewr: mkaminska
 audience: ITPro 
@@ -23,7 +23,6 @@ search.appverid: met150
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint](../microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](../microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
@@ -41,11 +40,13 @@ Retrieves a list of Microsoft Defender Antivirus device health details. This API
 
 - **JSON response**  The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
 
-- **via files** This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
-  - Call the API to get a list of download URLs with all your organization data.
-  - Download all the files using the download URLs and process the data as you like.
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably, and is recommended for large organizations who have more than 100,000 devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
 
-Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.
+   1. Call the API to get a list of download URLs with all your organization data.
+
+   2. Download all the files using the download URLs and process the data as you like.
+
+Data that is collected using either `JSON response` or by using files is a snapshot of the current state. This data doesn't contain historical data. To collect historical data, you must save the data in your own data storage.
 
 > [!IMPORTANT]
 > For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](../configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
@@ -66,60 +67,59 @@ Data that is collected using either '_JSON response_ or _via files_' is the curr
 
 ### 1.3 Export device antivirus health details API properties (JSON response)
 
-- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output won't necessarily be returned in the same order listed in this table.
+- The properties defined in the following table are listed alphabetically, by property ID. When you use this API, the resulting output won't necessarily be returned in the same order listed in this table.
 - Note that **rbacgroupname** and **Id** aren't supported filter operators.
 - Some more columns might be returned in the response. These columns can be temporary and might be removed; use only the documented columns.
 
 | Property (ID) | Data type | Description | Example of a returned value |
 |---|---|---|---|
 | `avEngineUpdateTime` | DateTimeOffset | Datetime when the antivirus engine was last updated on device | "2022-08-04T12:44:02Z" |
-| `avEngineVersion` | String | Antivirus engine version | "1.1.19400.3" |
-| `avIsEngineUpToDate` | String | Up-to-date status of antivirus engine | "True", "False", "Unknown" |
-| `avIsPlatformUpToDate` | String | Up-to-date status of antivirus platform | "True", "False", "Unknown" |
-| `avIsSignatureUpToDate` | String | Up-to-date status of antivirus signature | "True", "False", "Unknown" |
-| `avMode` | String | Antivirus mode. | Each mode is a string typed integer value ranging from 0 to 5. Refer to the following mapping to see its value's meaning: <br/>'' = Other<br/>'0' = Active<br/>'1' = Passive<br/>'2' = Disabled<br/>'3' = Other<br/>'4' = EDRBlocked<br/>'5' = PassiveAudit |
+| `avEngineVersion` | String | Antivirus engine version | `1.1.19400.3` |
+| `avIsEngineUpToDate` | String | Up-to-date status of antivirus engine | `True`, `False`, or `Unknown` |
+| `avIsPlatformUpToDate` | String | Up-to-date status of antivirus platform | `True`, `False`, or `Unknown` |
+| `avIsSignatureUpToDate` | String | Up-to-date status of antivirus signature | `True`, `False`, or `Unknown` |
+| `avMode` | String | Antivirus mode. | Each mode is a string typed integer value ranging from 0 to 5. <br/>`''` = `Other`<br/>`0` = `Active`<br/>`1` = `Passive`<br/>`2` = `Disabled`<br/>`3` = `Other`<br/>`4` = `EDRBlocked`<br/>`5` = `PassiveAudit` |
 | `avPlatformUpdateTime` | DateTimeOffset | Datetime when antivirus platform was last updated on device | "2022-08-04T12:44:02Z" |
-| `avPlatformVersion` | String | Antivirus platform version | "4.18.2203.5" |
+| `avPlatformVersion` | String | Antivirus platform version | `4.18.2203.5` |
 | `avSignaturePublishTime` | DateTimeOffset | Datetime when antivirus security intelligence build was released | "2022-08-04T12:44:02Z" |
 | `avSignatureUpdateTime` | DateTimeOffset | Datetime when antivirus security intelligence was last updated on device | "2022-08-04T12:44:02Z" |
-| `avSignatureVersion` | String | Antivirus security intelligence version | "1.371.1323.0" |
-| `computerDnsName` | String | DNS name | "SampleDns" |
-| `dataRefreshTimestamp` | DateTimeOffset | Datetime when data is refreshed for this report | "2022-08-04T12:44:02Z" |
-| `fullScanError` | String | Error codes from full scan | "0x80508023" |
-| `fullScanResult` | String | Full scan result of this device | "Completed" <br> "Canceled" <br>"Failed" |
-| `fullScanTime` | DateTimeOffset | Datetime when full scan has completed | "2022-08-04T12:44:02Z" |
-| `id` | String | Machine GUID | "30a8fa2826abf24d24379b23f8a44d471f00feab" |
-| `lastSeenTime` | DateTimeOffset | Last seen datetime of this machine | "2022-08-04T12:44:02Z" |
-| `machineId` | String | Machine GUID | "30a8fa2826abf24d24379b23f8a44d471f00feab" |
-| `osKind` | String | Operating system kind | "windows", "mac", "linux" |
-| `osPlatform` | String | Operating system major version name | Windows 10, macOS |
-| `osVersion` | String | Operating system version | 10.0.18363.1440, 12.4.0.0 |
-| `quickScanError` | String | Error codes from quick scan | "0x80508023" |
-| `quickScanResult` | String | Quick scan result of this device | "Completed" <br>"Canceled" <br>"Failed" |
-| `quickScanTime` | DateTimeOffset | Datetime when quick scan completed | "2022-08-04T12:44:02Z" |
-| `rbacGroupId` | Long | Device group ID that this machine belongs to | 712 |
-| `rbacGroupName` | String | Name of device group that this machine belongs to | "SampleGroup" |
+| `avSignatureVersion` | String | Antivirus security intelligence version | `1.371.1323.0` |
+| `computerDnsName` | String | DNS name | `SampleDns` |
+| `dataRefreshTimestamp` | DateTimeOffset | Datetime when data is refreshed for this report | `2022-08-04T12:44:02Z` |
+| `fullScanError` | String | Error codes from the full scan | "0x80508023" |
+| `fullScanResult` | String | Full scan result of the device | `Completed`, `Canceled`, or `Failed` |
+| `fullScanTime` | DateTimeOffset | Datetime when the full scan completed | `2022-08-04T12:44:02Z` |
+| `id` | String | Machine GUID | `30a8fa2826abf24d24379b23f8a44d471f00feab` |
+| `lastSeenTime` | DateTimeOffset | Last seen datetime of this machine | `2022-08-04T12:44:02Z` |
+| `machineId` | String | Machine GUID | `30a8fa2826abf24d24379b23f8a44d471f00feab` |
+| `osKind` | String | Operating system kind | `windows`, `mac`, or `linux` |
+| `osPlatform` | String | Operating system major version name | `Windows 10` or `macOS` |
+| `osVersion` | String | Operating system version | `10.0.18363.1440, 12.4.0.0` |
+| `quickScanError` | String | Error codes from quick scan | `0x80508023` |
+| `quickScanResult` | String | Quick scan result of this device | `Completed`, `Canceled`, or `Failed` |
+| `quickScanTime` | DateTimeOffset | Datetime when quick scan completed | `2022-08-04T12:44:02Z` |
+| `rbacGroupId` | Long | Device group ID that this machine belongs to | `712` |
+| `rbacGroupName` | String | Name of device group that this machine belongs to | `SampleGroup` |
 
 ### 1.4 Export device antivirus health details API properties (via files)
 
 > [!IMPORTANT]
 > Information in this section relates to prereleased product which can be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 > [!NOTE]
->
-> - The files are gzip compressed & in multiline Json format.
+> - The files are gzip-compressed and in multiline `.json` format.
 > - The download URLs are only valid for 3 hours; otherwise you can use the parameter.
 > - For maximum download speed of your data, you can make sure you're downloading from the same Azure region that your data resides.
-> - Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
-> - Some more columns might be returned in the response. These columns are temporary and might be removed, so use only the documented columns.
+> - Each record uses approximately 1KB of data. You should take this into account when choosing the correct `pageSize` parameter.
+> - More columns might be returned in the response. These columns are temporary and might be removed, so use only the documented columns.
 
 | Property (ID) | Data type | Description | Example of a returned value |
 |---|---|---|---|
 | Export files | array[string] | A list of download URLs for files holding the current snapshot of the organization. | ["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"] |
 | GeneratedTime | String | The time that the export was generated. | 2022-05-20T08:00:00Z |
 
 > [!NOTE]
-> In each of the Export files a property "DeviceGatheredInfo" containing the data about Antivirus information can be found. Each of its attributes can provide you with information on the device's health and its status.
+> In each of the export files, there's a property called `DeviceGatheredInfo`, which contains antivirus data. Each of its attributes can provide you with information on the device's health and its status.
 
 ## See also