MicrosoftDocs
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 6 additions & 6 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎defender-endpoint/enable-attack-surface-reduction.md‎
Lines changed: 3 additions & 2 deletions b/‎defender-endpoint/enable-attack-surface-reduction.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎defender-endpoint/linux-preferences.md‎
Lines changed: 28 additions & 31 deletions b/‎defender-endpoint/linux-preferences.md‎
Lines changed: 28 additions & 31 deletions
diff --git a/‎defender-endpoint/switch-to-mde-phase-2.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/switch-to-mde-phase-2.md‎
Lines changed: 3 additions & 3 deletions
@@ -18,10 +18,6 @@
       href: microsoft-defender-endpoint-ios.md
     - name: Defender for Endpoint for US Government customers
       href: gov.md
-    - name: Supported Defender for Endpoint capabilities by platform
-      href: supported-capabilities-by-platform.md
-    - name: Antivirus solution compatibility with Defender for Endpoint
-      href: defender-compatibility.md
     - name: Defender for Endpoint Plan 1
       items:
       - name: Overview of Defender for Endpoint Plan 1
@@ -30,6 +26,12 @@
         href: mde-p1-setup-configuration.md
       - name: Get started
         href: mde-plan1-getting-started.md
+    - name: Minimum requirements
+      href: minimum-requirements.md
+    - name: Supported Defender for Endpoint capabilities by platform
+      href: supported-capabilities-by-platform.md
+    - name: Antivirus solution compatibility with Defender for Endpoint
+      href: defender-compatibility.md
     - name: What's new in Defender for Endpoint
       href: whats-new-in-microsoft-defender-endpoint.md
       items: 
@@ -45,8 +47,6 @@
         href: ios-whatsnew.md
       - name: Previous Defender for Endpoint releases (archive)
         href: whats-new-mde-archive.md
-    - name: Minimum requirements
-      href: minimum-requirements.md
     - name: Trial user guide - Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
     - name: Pilot and deploy Defender for Endpoint
 
@@ -15,7 +15,7 @@ ms.collection:
 - mde-asr
 ms.custom: admindeeplinkDEFENDER
 search.appverid: met150
-ms.date: 04/30/2025
+ms.date: 05/08/2025
 ---
 
 # Enable attack surface reduction rules
@@ -102,7 +102,7 @@ When adding exclusions, keep these points in mind:
 
 If a conflicting policy is applied via MDM and GP, the setting applied from Group Policy takes precedence.
 
-Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conficts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
+Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
 
 Attack surface reduction rule merge behavior works as follows:
 
@@ -139,6 +139,7 @@ The following procedures for enabling attack surface reduction rules include ins
 > If you're using Intune on Windows Server 2012 R2 and Windows Server 2016 with the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), you need to set the following attack surface reduction rules to `Not Configured` because they're not supported on these OS versions. Otherwise, these policies fail to apply:
 > - [Block persistence through Windows Management Instrumentation (WMI) event subscription](/defender-endpoint/attack-surface-reduction-rules-reference#block-persistence-through-wmi-event-subscription)
 > - [Block JavaScript or VBScript from launching downloaded executable content](/defender-endpoint/attack-surface-reduction-rules-reference#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+> - [Block Win32 API calls from Office macro](/defender-endpoint/attack-surface-reduction-rules-reference#block-win32-api-calls-from-office-macros)
 
 #### Endpoint security policy (Preferred)
 
 
@@ -6,7 +6,7 @@ ms.subservice: onboard
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 04/24/2025
+ms.date: 05/08/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -159,8 +159,8 @@ The specific exclusions to configure depend on which version of Windows your end
 
 | OS |Exclusions |
 |:--|:--|
-|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed |EDR<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe`<br/><br/>Antivirus<br/><br/>`C:\Program Files\Windows Defender\MsMpEng.exe`<br/><br/> `C:\Program Files\Windows Defender\NisSrv.exe` <br/><br/> `C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe` <br/><br/> `C:\Program Files\Windows Defender\MpCmdRun.exe` <br/><br/> `C:\Program Files\Windows Defender\MpDefenderCoreService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MsMpEng.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\NisSrv.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\ConfigSecurityPolicy.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCopyAccelerator.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCmdRun.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDefenderCoreService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\mpextms.exe` <br/><br/> Endpoint Data Loss Prevention <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpCmd.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MipDlp.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\DlpUserAgent.exe` <br/><br/>  |
-|Windows Server 2025 <br/><br/>[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |  On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
+|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/><br/>Windows Server 2025 <br/><br/>[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803)<br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) running the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) running the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2) | **EDR**<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe`<br/><br/>**Antivirus**<br/><br/>`C:\Program Files\Windows Defender\MsMpEng.exe`<br/><br/> `C:\Program Files\Windows Defender\NisSrv.exe` <br/><br/> `C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe` <br/><br/> `C:\Program Files\Windows Defender\MpCmdRun.exe` <br/><br/> `C:\Program Files\Windows Defender\MpDefenderCoreService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MsMpEng.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\NisSrv.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\ConfigSecurityPolicy.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCopyAccelerator.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCmdRun.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDefenderCoreService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\mpextms.exe` <br/><br/> **Endpoint Data Loss Prevention** <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpService.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpCmd.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MipDlp.exe` <br/><br/> `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\DlpUserAgent.exe`  |
+|Windows Server 2016 or Windows Server 2012 R2 running the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2) | The following **additional** exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
 |[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
 
 > [!IMPORTANT]