Merge branch 'main' into docs-editor/attack-surface-reduction-rules-1745954309

Author: aditisrivastava07

defender-endpoint/linux-install-manually.md

@@ -205,13 +205,13 @@ In order to preview new features and provide early feedback, it's recommended th
 
 6. Install the Microsoft GPG public key:
 
-   - For Debian 11 and earlier, run the following command.
+   - For Debian 11/Ubuntu 22.04 and earlier, run the following command.
 
       ```bash
       curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
       ```
 
-   - For Debian 12 and later, run the following command.
+   - For Debian 12/Ubuntu 24.04 and later, run the following command.
 
       ```bash
       curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null

defender-endpoint/troubleshoot-mdav-scan-issues.md

@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 03/11/2025
+ms.date: 04/29/2025
 ---
 
 # Troubleshoot Microsoft Defender Antivirus scan issues
@@ -34,6 +34,20 @@ Understanding why a scan is launched can help identify what settings are applied
 | Catch up scan | Launched when a scheduled scan was missed twice |
 | Manually launched | A scan is launched manually by using any of the following methods: <br/>- Command Prompt: `MpCmdRun -scan -scantype` <br/>- [Taking a response action on a device](/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices) in the Microsoft Defender portal <br/>- Using the Windows Security app or Microsoft Defender app on the device |
 
+## CPU performance and scan throttling in Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus includes several configurable settings to manage CPU usage during scans. These settings help balance system performance and security by controlling how aggressively Defender uses system resources. If you use Group Policy, these settings are found under `Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan`. To check current value of these settings on a machine use the `Get-MpPreference` PowerShell command.
+
+The key settings to be aware of are listed in the following table:
+
+| Setting | Details |
+|--|--|
+| `ScanOnlyIfIdle` | **Description**: When enabled, Microsoft Defender Antivirus only performs scans when the system is idle.<br/><br/>**Purpose**: This minimizes performance impact during active use by deferring scans until the system is not in use.<br/><br/>**Typical Use Case**: Ideal for environments where user experience is a priority and scans can be delayed without compromising security.<br/><br/>**Policy Name**:<br/>**Group Policy**: Not available. <br/>- **Intune**: `./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled` <br/><br/>**Default**: True (Enabled) |
+| `DisableCpuThrottleOnIdleScans` | **Description**: When set to `true`, this disables CPU throttling during idle-time scans.<br/><br/>**Purpose**: Allows Defender to use more CPU resources when the system is idle, potentially completing scans faster.<br/><br/>**Interaction with Other Settings**: Works with `ScanOnlyIfIdle`. If both are enabled, scans run only when idle and aren't throttled.<br/><br/>**Policy Name**:<br/>- **Group Policy**: Not available.<br/>- **Intune**: `./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans`<br/><br/>**Default**: True (Enabled) |
+| `AvgCPULoadFactor` | **Description**: Specifies the average CPU load (as a percentage) that Microsoft Defender Antivirus shouldn't exceed during scans. This setting doesn't apply to real time protection scans.<br/><br/>**Purpose**: Helps maintain overall system responsiveness by limiting Defender's CPU usage.<br/><br/>**Example**: A value of `50` means Microsoft Defender Antivirus attempts to keep its CPU usage below 50% during scans.<br/><br/>**Interaction with Other Settings**: This setting is influenced by `DisableCpuThrottleOnIdleScans` and `ThrottleForScheduledScanOnly`, which can override or limit when throttling is applied.<br/><br/>**Policy Name**: <br/>- **Group Policy**: `Specify the maximum percentage of CPU utilization during a scan`<br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/AvgCPULoadFactor` |
+| `ThrottleForScheduledScanOnly` | **Description**: When enabled, CPU throttling is applied only to scheduled scans, not to manual scans.<br/><br/>**Purpose**: Ensures that scheduled scans are less intrusive, while allowing manual scans to run at full speed if needed.<br/><br/>**Interaction with Other Settings**: When used with `AvgCPULoadFactor`, throttling limits only apply to scheduled scans. Manual scans ignore the CPU load factor and might use more resources.<br/><br/>**Policy Name**:<br/>- **Group Policy**: `Cpu throttling type` <br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/ThrottleForScheduledScanOnly`<br/><br/>**Default**: True (Enabled) |
+| `EnableLowCpuPriority` | **Description**: This policy setting allows you to enable or disable low CPU priority for scheduled scans.<br/><br/>**Purpose**: Helps reduce the impact of scans on system performance by allowing other processes to take precedence over Microsoft Defender Antivirus's scanning tasks.<br/><br/>**Interaction with Other Settings**: Complements `AvgCPULoadFactor` and `ThrottleForScheduledScanOnly` by further deprioritizing Microsoft Defender Antivirus's CPU usage. It's especially useful in environments where maintaining responsiveness during scans is critical.<br/><br/>**Policy Name**: <br/>- **Group Policy**: `Configure low CPU priority for scheduled scans`<br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/EnableLowCPUPriority`<br/><br/>**Default**: False (Disabled) |
+
 ## Policies that impact scanning
 
 Understanding the policies applied to the scan enables you to understand the behavior of the scan and what can be tuned to remediate scan challenges.
@@ -73,7 +87,7 @@ In an Intune policy and in [Defender for Endpoint Security Settings Management](
 
    Settings: `Scan Parameter`; `Schedule Scan Day`; and `Schedule Scan Time`
 
-If you are using Group Policy to manage your devices, see [Configure Microsoft Defender Antivirus with Group Policy](/defender-endpoint/use-group-policy-microsoft-defender-antivirus#group-policy-settings-and-resources)
+If you're using Group Policy to manage your devices, see [Configure Microsoft Defender Antivirus with Group Policy](/defender-endpoint/use-group-policy-microsoft-defender-antivirus#group-policy-settings-and-resources)
 
 For information about troubleshooting antivirus settings, see [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
 

defender/media/defender-vulnerability-management/tvm_alert_icon.png renamed to defender-vulnerability-management/media/tvm-alert-icon.png

@@ -12,7 +12,7 @@ ms.collection:
   - Tier1
 ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 04/28/2025
 #customer intent: Get information on how to view and act on security recommendations in Microsoft Defender Vulnerability Management.
 ---
 
@@ -73,15 +73,15 @@ The color of the **Exposed devices** graph changes as the trend changes. If the
 > [!NOTE]
 > Vulnerability management shows devices that were in use within the last 30 days. This is different from device status in Defender for Endpoint, where if a device has `Inactive` status if it doesn't communicate with the service for more than seven days.
 
-:::image type="content" alt-text="Screenshot of the security recommendations landing page." source="/defender/media/defender-vulnerability-management/tvm-sec-reco-expanded-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sec-reco-expanded.png":::
+:::image type="content" source="media/tvm-sec-reco-expanded-small.png" alt-text="Screenshot of security recommendations." lightbox="media/tvm-sec-reco-expanded.png":::
 
 ### Icons
 
 Useful icons also quickly call your attention to:
 
-- ![arrow hitting a target.](/defender/media/defender-vulnerability-management/tvm_alert_icon.png) possible active alerts
-- ![red bug.](/defender/media/defender-vulnerability-management/tvm_bug_icon.png) associated public exploits
-- ![light bulb.](/defender/media/defender-vulnerability-management/tvm_insight_icon.png) recommendation insights
+- :::image type="content" source="media/tvm-alert-icon.png" alt-text="arrow hitting a target"::: possible active alerts
+- :::image type="content" source="media/tvm-bug-icon.png" alt-text="red bug"::: associated public exploits
+- :::image type="content" source="media/tvm-insight-icon.png" alt-text="light bulb"::: recommendation insights
 
 ### Impact
 

defender-vulnerability-management/media/tvm-black-bug-icon.png

@@ -12,7 +12,7 @@ ms.collection:
   - Tier1
 ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/05/2025
+ms.date: 04/29/2025
 #customer intent: To learn about the software inventory page in Microsoft Defender for Endpoint's Vulnerability Management.
 ---
 
@@ -36,20 +36,18 @@ You can remove the **CPE Available** filter to gain further visibility and incre
 
 In the field of discovery, we're using the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender for Endpoint detection and response capabilities](/defender-endpoint/overview-endpoint-detection-response).
 
-Since it's real time, in a matter of minutes, you see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it's real time, in a matter of minutes, you see vulnerability information as it's discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
 
 ## Navigate to the Software inventory page
 
-Access the software inventory page by signing in to the [Microsoft Defender portal](https://security.microsoft.com) and navigating to **Endpoints** > **Vulnerability management** > **Inventories**, which opens to the **Software** tab.
+In the [Microsoft Defender portal](https://security.microsoft.com), in the navigation pane, go to **Endpoints** > **Vulnerability management** > **Inventories**, and then select the **Software** tab.
 
 > [!NOTE]
-> If you search for software using the the Microsoft Defender portal global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write `windows_10` or `windows_11` instead of `Windows 10` or `Windows 11`.
+> If you search for software using the Microsoft Defender portal global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write `windows_10` or `windows_11` instead of `Windows 10` or `Windows 11`.
 
 ## Software inventory overview
 
-The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags.
-
-The data is updated every three to four hours. There's currently no way to force a sync.
+The **Software inventory** lists software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. The data is updated every three to four hours. There's currently no way to force a sync.
 
 :::image type="content" alt-text="Example of the landing page for software inventory." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-main-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-main.png":::
 
@@ -74,7 +72,7 @@ Here's how to tell whether software isn't supported:
 
 ## Software inventory on devices
 
-1. Sign in to the Microsoft Defender portal. Navigate to **Assets** > **Devices** to open the **Device inventory** page.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Assets** > **Devices** to open the **Device inventory** page.
 
 2. Select the name of a device to open its device page.
 
@@ -86,45 +84,53 @@ Software might be visible at the device level, even if it's currently not suppor
 
 ### Software evidence
 
-See evidence of where we detected a specific software on a device from the registry, disk, or both. You can find it on any device in the device software inventory.
+See evidence of where specific software was detected a device in the registry, on the disk, or both. You can find this information on any device in the device software inventory.
 
-Select a software name to open the flyout, and look for the section called **Software Evidence**.
+Select a software name to open its flyout, and look for the section called **Software Evidence**.
 
 :::image type="content" alt-text="Software evidence example of Microsoft Edge showing evidence registry path as seen on a device page" source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-evidence-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-evidence.png":::
 
 ## Software pages
 
-You can view software pages a few different ways:
+You can view software pages in the [Microsoft Defender portal](https://security.microosft.com) a few different ways:
 
-- **Endpoints** > **Vulnerability management** > **Inventories** > Select a software name > Select **Open software page** in the flyout
-- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout
-- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the **Related component** section in the flyout
+- Go to **Endpoints** > **Vulnerability management** > **Inventories**, and select the **Software** tab. Select a software name, and then, in the flyout, select **Open software page**.
+- Go to **Endpoints** > **Vulnerability management** > **Recommendations**. Select a recommendation, and in the flyout, select **Open software page**. (See [Security recommendations page](tvm-security-recommendation.md).)
+- Go to **Endpoints** > **Vulnerability management** > **Event timeline**. Select an event, and then, in the **Related components** section, select the link for the software name. (See [Event timeline page](threat-and-vuln-mgt-event-timeline.md).)
 
- A full page appears with all the details of a specific software and the following information:
+ The software page provides details about specific software with the following information:
 
 - Overview with vendor information, exploits available, and impact rating 
 - Data visualizations showing the number of and severity of discovered weaknesses, exposed devices, software's usage in the past 30 days, and the top events in the last seven days.
-- Tabs showing information such as:
-  - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
-  - Named CVEs of discovered vulnerabilities.
-  - Devices that have the software installed (along with device name, domain, OS, and more).
-  - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
-  - Event timeline
-  - Browser extensions (if applicable)
+- Tabs showing information, such as:
+   - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
+   - Named CVEs of discovered vulnerabilities.
+   - Devices that have the software installed (along with device name, domain, OS, and more).
+   - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
+   - Event timeline
+   - Browser extensions (if applicable)
+
+:::image type="content" alt-text="Software example page for Microsoft Edge with the software details, weaknesses, exposed devices, and more." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage.png":::
+
+## Normalized software versions
 
-    :::image type="content" alt-text="Software example page for Microsoft Edge with the software details, weaknesses, exposed devices, and more." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage.png":::
+For some software, normalized versions might be displayed in the Microsoft Defender portal. For example, suppose a device has [SQL Server 2016, version 13.0.7016.1](/troubleshoot/sql/releases/download-and-install-latest-updates#sql-server-2016) installed. However, in the [Microsoft Defender portal](https://security.microsoft.com), SQL Server 2016 is listed as `13.3.7016.1`, a normalized version of SQL Server. In this case, `13.3.7016.1` is functionally equivalent to `13.0.7016.1`.
+
+Defender Vulnerability Management applies version normalization rules to ensure better cross-device correlation and more accurate vulnerability assessments. Version normalization is intentional and valid, and is used consistently to streamline detection logic and align with internal data models.
 
 ## Report inaccuracy
 
 Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.
 
-1. Open the software flyout on the Software inventory page.
-2. Select **Report inaccuracy**.
-3. From the flyout pane, choose an issue to report from:
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Vulnerability management** > **Inventories**, and select the **Software** tab. 
+
+2. Select a software name to open its flyout, and then select **Report inaccuracy**.
+
+3. From the flyout pane, choose an issue. Examples include:
 
-    - a software detail is wrong
-    - the software isn't installed on any device in my org
-    - the number of installed or exposed devices is wrong
+   - A software detail is wrong
+   - The software isn't installed on any device in my org
+   - The number of installed or exposed devices is wrong
 
 4. Fill in the requested details about the inaccuracy.