Merge branch 'main' into dhagarwal_working

Author: chrisda

defender-endpoint/ios-install.md

@@ -2,11 +2,11 @@
 title: What's new in Microsoft Defender for Endpoint on iOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 03/14/2025
+ms.date: 03/28/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -161,7 +161,7 @@ On January 25, 2022, we announced the general availability of Vulnerability mana
 ## 1.1.28250101
 
 - **Integration with Tunnel** - Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. For more information, see [Microsoft Tunnel Overview](/mem/intune/protect/microsoft-tunnel-overview).
-- **Zero-touch onboard for enrolled iOS devices** enrolled through Microsoft Intune is generally available. For more information, see [Zero touch onboarding of Microsoft Defender for Endpoint](ios-install.md#zero-touch-silent-onboarding-of-microsoft-defender-for-endpoint).
+- **Zero-touch onboard for enrolled iOS devices** enrolled through Microsoft Intune is generally available. For more information, see [Zero touch onboarding of Microsoft Defender for Endpoint](ios-install.md#zero-touch-silent-onboarding-to-defender-for-endpoint).
 - Bug fixes.
 
 ## 1.1.24210103
@@ -172,7 +172,7 @@ On January 25, 2022, we announced the general availability of Vulnerability mana
 ## 1.1.23250104
 
 - Performance optimizations - Test battery performance with this version and let us know your feedback.
-- **Zero-touch onboard for enrolled iOS devices** - With this version, the preview of Zero-touch onboards for devices enrolled through Microsoft Intune has been added. For more information, see this [Zero-touch (Silent) onboarding of Microsoft Defender for Endpoint](ios-install.md#zero-touch-silent-onboarding-of-microsoft-defender-for-endpoint).
+- **Zero-touch onboard for enrolled iOS devices** - With this version, the preview of Zero-touch onboards for devices enrolled through Microsoft Intune has been added. For more information, see this [Zero-touch (Silent) onboarding of Microsoft Defender for Endpoint](ios-install.md#zero-touch-silent-onboarding-to-defender-for-endpoint).
 - **Privacy Controls** - Configure privacy controls for phish alert report. For more information, see [Configure iOS features](ios-configure-features.md).
 
 ## 1.1.23010101

defender-endpoint/ios-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 02/21/2025
+ms.date: 03/28/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -52,7 +52,7 @@ Antivirus exclusions can be used to exclude trusted files and processes from rea
 
 | Exclusion Category | Exclusion Scope | Description |
 | --- | --- | --- |
-| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus scans and on-demand scans.| 
+| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes events from on-demand scans, real-time protection (RTP), and behavior monitoring (BM).| 
 | Global Exclusion  | Antivirus and endpoint detections and response engine <br/>*(scope: global)*  | Excludes events from real time protection and EDR visibility. Doesn't apply to on-demand scans by default. |
 
 > [!IMPORTANT]

defender-endpoint/linux-exclusions.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 02/07/2025
+ms.date: 03/28/2025
 ---
 
 # Configure offline security intelligence update for Microsoft Defender for Endpoint on Linux 
@@ -165,15 +165,16 @@ To manually execute the downloader script, configure the parameters in the `sett
 
 Once the script is executed, the latest signatures get downloaded to the folder configured in the `settings.json` file (`updates.zip`).
 
-Once the signatures zip is downloaded, the mirror server can be used to host it. The mirror server can be hosted using any of the HTTP/HTTPS/network share servers.
+Once the signatures zip is downloaded, the mirror server can be used to host it. The mirror server can be hosted using any of the HTTP/HTTPS/network share servers, or a local/remote mount point.
 
 Once hosted, copy the absolute path of the hosted server (up to and not including the `arch_*` directory).
 
-For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/`.
-
-We can also use the absolute path of directory (local/remote mount point) like `/tmp/wdav-update/linux/production`.
+> [!NOTE]
+> For example, if the downloader script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, then the corresponding URI is: `www.example.server.com:8000/linux/production/` (verify that this within this directory, there are the `arch_*` directories).
+> 
+> We can also use the absolute path of directory (local/remote mount point). For example, if the files were downloaded by the script into a directory `/tmp/wdav-update`, then the corresponding URI is:`/tmp/wdav-update/linux/production`.
 
-Once the mirror server is set up, we need to propagate this URL to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
+Once the mirror server is set up, we need to propagate this URI to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
 
 ## Configure the endpoints
 
@@ -200,7 +201,7 @@ Use the following sample `mdatp_managed.json` and update the parameters as per t
 |-------------------------------------------|----------------------|-----------------------------------------------------|
 | `automaticDefinitionUpdateEnabled`        | `True`/`False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
 | `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the mirror server setup. This can be either in terms of the remote server URL or a directory (local/remote mount point). |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the mirror server setup. This can be either in terms of the remote server URL or a directory (local/remote mount point). See the previous section for information about how to specify this path.|
 | `offlineDefinitionUpdate`                 | `enabled`/`disabled`   | When set to `enabled`, the "offline security intelligence update" feature is enabled, and vice versa. |
 | `offlineDefinitionUpdateFallbackToCloud`  | `True`/`False`         | Determine Defender for Endpoint security intelligence update approach when "offline mirror server" fails to serve the update request. If set to `true`, the update is retried via the Microsoft cloud when "offline security intelligence update" failed; else, vice versa. |
 | `offlineDefinitionUpdateVerifySig`        | `enabled`/`disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints; else, vice versa. |

defender-endpoint/linux-support-offline-security-intelligence-update.md

@@ -4,10 +4,10 @@ ms.reviewer: tdoucette, sunasing, denishdonga
 description: Overview of Mobile Threat Defense in Microsoft Defender for Endpoint
 ms.service: defender-endpoint
 ms.subservice: onboard
-ms.author: deniseb
-author: denisebmsft  
+ms.author: ewalsh
+author: emmwalshh  
 ms.localizationpriority: medium
-ms.date: 03/10/2025
+ms.date: 03/28/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -109,7 +109,7 @@ iOS Dedicated/shared/kiosk device enrollment isn't supported.
 
 ### End-user onboarding
 
-- [Configure Zero-touch onboard for iOS enrolled devices](ios-install.md#zero-touch-silent-onboarding-of-microsoft-defender-for-endpoint): Admins can configure zero-touch install to silently onboard Microsoft Defender for Endpoint on enrolled iOS devices without requiring the user to open the app. 
+- [Configure Zero-touch onboard for iOS enrolled devices](ios-install.md#zero-touch-silent-onboarding-to-defender-for-endpoint): Admins can configure zero-touch install to silently onboard Microsoft Defender for Endpoint on enrolled iOS devices without requiring the user to open the app. 
 
 - [Configure Conditional Access to enforce user onboarding](android-configure.md#conditional-access-with-defender-for-endpoint-on-android): This can be applied to ensure end-users onboard to the Microsoft Defender for Endpoint app after deploying. Watch this video for a quick demo on configuring conditional access with Defender for Endpoint risk signals. 
 
@@ -119,7 +119,7 @@ iOS Dedicated/shared/kiosk device enrollment isn't supported.
 
 ### Simplify Onboarding
 
-- [iOS - Zero-Touch Onboard](ios-install.md#zero-touch-silent-onboarding-of-microsoft-defender-for-endpoint)
+- [iOS - Zero-Touch Onboard](ios-install.md#zero-touch-silent-onboarding-to-defender-for-endpoint)
 - [Android Enterprise - Setup Always-on VPN](android-intune.md#auto-setup-of-always-on-vpn).
 - [iOS - Auto-setup of VPN profile](ios-install.md#auto-onboarding-of-vpn-profile-simplified-onboarding)
 

defender-endpoint/media/mde-ios-notification-2.png

@@ -10,9 +10,9 @@ audience: ITPro
 ms.collection:
   - m365-security
   - Tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/04/2022
+ms.date: 03/21/2025
 ---
 
 # Create and view exceptions for security recommendations
@@ -39,37 +39,21 @@ Only users with "exceptions handling" permissions can manage exceptions (includi
 
 ## Create an exception
 
-Select a security recommendation you would like to create an exception for, and then select **Exception options** and fill out the form.
+Navigate to Recommendations page in the Microsoft Defender portal. By default, the page shows all recommendations filtered to all device groups. To view recommendations for a specific device group, select the device group from the filter dropdown list.
 
-![Showing where the button for "exception options" is location in a security recommendation flyout.](/defender/media/defender-vulnerability-management/tvm-exception-options.png)
+:::image type="content" alt-text="Screenshot highlighting the filter option in the Recommendations page." source="/defender/media/defender-vulnerability-management/exception-filter-small.png" lightbox="/defender/media/defender-vulnerability-management/exception-filter.png":::
 
-### Exception by device group
-
-Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception won't be displayed in the list. If you only select certain device groups, the recommendation state changes from "active" to "partial exception." The state changes to "full exception" if you select all the device groups.
-
-![Showing device group dropdown.](/defender/media/defender-vulnerability-management/tvm-exception-device-group-500.png)
-
-#### Filtered views
-
-If you've filtered by device group on any of the vulnerability management pages, only your filtered device groups appear as options.
+Select a security recommendation you would like to create an exception for. In the pane, select **Exception options** and fill out the form.
 
-This is the button to filter by device group on any of the vulnerability management pages:
+:::image type="content" alt-text="Screenshot highlighting Exception options in a Recommendation pane." source="/defender/media/defender-vulnerability-management/exception-button-small.png" lightbox="/defender/media/defender-vulnerability-management/exception-button.png":::
 
-![Showing selected device groups filter.](/defender/media/defender-vulnerability-management/tvm-selected-device-groups.png)
+The form includes fields to identify the device groups, the justification and context, and the duration of the exception.
 
-Exception view with filtered device groups:
-
-![Showing filtered device group dropdown.](/defender/media/defender-vulnerability-management/tvm-exception-device-filter500.png)
-
-#### Large number of device groups
-
-If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
-
-![Showing how to edit large numbers of groups.](/defender/media/defender-vulnerability-management/tvm-exception-edit-groups.png)
+### Exception by device group
 
-A flyout appears where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception won't be displayed in the list. If you only select certain device groups, the recommendation state changes from "active" to "partial exception." The state changes to "full exception" if you select all the device groups.
 
-![Showing large device group flyout.](/defender/media/defender-vulnerability-management/tvm-exception-device-group-flyout-400.png)
+![Showing device group dropdown.](/defender/media/defender-vulnerability-management/tvm-exception-device-group-500.png)
 
 ### Global exceptions
 

defender-endpoint/media/mde-ios-notification.png

@@ -10,9 +10,9 @@ audience: ITPro
 ms.collection:
   - m365-security
   - Tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/04/2022
+ms.date: 03/21/2025
 ---
 
 # Mitigate zero-day vulnerabilities
@@ -24,19 +24,19 @@ ms.date: 03/04/2022
 - [Microsoft Defender XDR](/defender-xdr)
 - [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
 
-A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.
+A zero-day vulnerability is a flaw in software for which no official patch or security update is available yet. A software publisher may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.
 
-Vulnerability management will only display zero-day vulnerabilities it has information about.
+Vulnerability management only displays zero-day vulnerabilities it has information about.
 
 > [!TIP]
 > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md).
 
 ## Find information about zero-day vulnerabilities
 
-Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender portal.
+Once a zero-day vulnerability is found, information about it is conveyed through the following experiences in the Microsoft Defender portal.
 
 > [!NOTE]
-> 0-day vulnerability capability is currently available only for Windows products.
+> Zero-day vulnerability capability is currently available only for Windows products.
 
 ### Defender Vulnerability Management dashboard
 
@@ -74,17 +74,17 @@ Look for a zero-day tag for each software that has been affected by the zero-day
 
 View clear suggestions about remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.
 
-If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities.
+If there's software with a zero-day vulnerability and other vulnerabilities to address, you get one recommendation about all vulnerabilities.
 
 :::image type="content" alt-text="Zero day example of Windows Server 2016 in the security recommendations page." source="/defender/media/defender-vulnerability-management/tvm-zero-day-security-recommendation.png" lightbox="/defender/media/defender-vulnerability-management/tvm-zero-day-security-recommendation.png":::
 
 ## Addressing zero-day vulnerabilities
 
 Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.
 
-There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
+There is a link to mitigation options and workarounds if they are available. Workarounds might help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
 
-Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update is not yet available. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."
 
 :::image type="content" alt-text="Zero day flyout example of Windows Server 2016 in the security recommendations page." source="/defender/media/defender-vulnerability-management/tvm-zero-day-recommendation-flyout400.png" lightbox="/defender/media/defender-vulnerability-management/tvm-zero-day-recommendation-flyout400.png":::
 
@@ -94,7 +94,7 @@ Go to the [Remediation](tvm-remediation.md) page to view the remediation activit
 
 ## Patching zero-day vulnerabilities
 
-When a patch is released for the zero-day, the recommendation will be changed to "Update" and a blue label next to it that says "New security update for zero day." It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
+When a patch is released for the zero-day, the recommendation changes to **Update** and a blue label next to it that says **New security update for zero day.** The vulnerability is no longer considered as a zero-day and the zero-day tag is removed from all pages.
 
 ## Related articles