Merge branch 'main' into M1_changes

Author: DebLanger

.github/workflows/AutoPublish.yml

@@ -7,7 +7,8 @@ permissions:
 
 on:
   schedule:
-    - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
+    # - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time (~Mar-Nov). Scheduling at :25 to account for queuing lag.
+    - cron: "25 3,6,9,12,15,18,21,23 * * *" # Times are UTC based on Standard Time (~Nov-Mar). Scheduling at :25 to account for queuing lag.
 
   workflow_dispatch:
 

defender-endpoint/defender-endpoint-demonstration-network-protection.md

@@ -1,6 +1,6 @@
 ---
 title: Microsoft Defender for Endpoint Network protection demonstrations
-description: Shows how Network protection prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+description: Shows how Network protection prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.
 search.appverid: met150
 ms.service: defender-endpoint
 ms.author: bagol
@@ -24,7 +24,7 @@ appliesto:
 ---
 # Network protection demonstrations
 
-Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.
 
 ## Prerequisites
 
@@ -34,27 +34,27 @@ Network Protection helps reduce the attack surface of your devices from Internet
 
 ## Windows
 
-PowerShell command
+Run the following PowerShell command:
 
 ```powershell
 Set-MpPreference -EnableNetworkProtection Enabled
 ```
 
-Rule states
+Following are the Rule states:
 
 |State | Mode| Numeric value |
 |:---|:---|:---|
 | Disabled | = Off | 0 |
 | Enabled | = Block mode | 1 |
 | Audit | = Audit mode | 2 |
 
-Verify configuration
+Verify the configuration using the following PowerShell command:
 
 ```powershell
 Get-MpPreference
 ```
 
-Scenario
+**Consider the following scenario**:
 
 1. Turn on Network Protection using PowerShell command:
 
@@ -64,11 +64,11 @@ Scenario
 
 2. Using the browser of your choice (not Microsoft Edge*), navigate to the [Network Protection website test](https://smartscreentestratings2.net/). Microsoft Edge has other security measures in place to protect from this vulnerability (SmartScreen).
 
-Expected results
+Following are the expected results:
 
 Navigation to the website should be blocked and you should see a **Connection blocked** notification.
 
-Clean-up
+Run the following command to Clean-up:
 
 ```powershell
 Set-MpPreference -EnableNetworkProtection Disabled
@@ -90,27 +90,27 @@ For example, to configure network protection to run in blocking mode, execute th
 mdatp config network-protection enforcement-level --value block
 ```
 
-To confirm that network protection has been started successfully, run the following command from the Terminal, and verify that it prints "started":
+To confirm that network protection has started successfully, run the following command from the Terminal, and verify that it prints "started":
 
 
 ```bash
 mdatp health --field network_protection_status
 ```
 
-To test Network Protection on macOS/Linux
+To test Network Protection on macOS/Linux:
 
-1. Using the browser of your choice (not Microsoft Edge*), navigate to the [Network Protection website test](https://smartscreentestratings2.net/). Microsoft Edge has other security measures in place to protect from this vulnerability (SmartScreen).
-1. or from terminal 
+1. Using the browser of your choice (not Microsoft Edge), navigate to the [Network Protection website test](https://smartscreentestratings2.net/). Microsoft Edge has other security measures in place to protect from this vulnerability (SmartScreen).
+1. Or run the following command from the terminal: 
 
     ```bash
     curl -o ~/Downloads/smartscreentestratings2.net https://smartscreentestratings2.net/ 
     ```
 
-Expected results
+Following are the expected results:
 
 Navigation to the website should be blocked and you should see a **Connection blocked** notification.
 
-Clean-up
+Run the following command to Clean-up:
 
 ```bash
 mdatp config network-protection enforcement-level --value audit

defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
 title: Deploy, manage, and report on Microsoft Defender Antivirus
-description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Configuration Manager, Group Policy, PowerShell, or WMI
+description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Configuration Manager, Group Policy, PowerShell, or WMI.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
 ms.date: 10/20/2025
@@ -24,7 +24,6 @@ appliesto:
 ---
 # Deploy, manage, and report on Microsoft Defender Antivirus
 
-
 You can manage and report on Microsoft Defender Antivirus using one of several tools, such as:
 
 - [Deploy, manage, and report on Microsoft Defender Antivirus](#deploy-manage-and-report-on-microsoft-defender-antivirus)
@@ -33,8 +32,7 @@ You can manage and report on Microsoft Defender Antivirus using one of several t
   - [PowerShell](#powershell)
   - [Group Policy and Microsoft Entra ID](#group-policy-and-microsoft-entra-id)
   - [Windows Management Instrumentation](#windows-management-instrumentation)
-  - [See also](#see-also)
-
+  
 This article describes these options for deployment, management, and reporting.
 
 ## Prerequisites
@@ -74,7 +72,7 @@ For reporting, you can choose from several options:
 
 ## PowerShell
 
-You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that are not managed by a security team. 
+You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that aren't managed by a security team. 
 
 - Use the appropriate [Get- cmdlets available in the Defender module](/powershell/module/defender).
 
@@ -124,6 +122,6 @@ For reporting, Windows events comprise several security event sources, including
 
 
 > [!TIP]
-> **Performance tip** Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
+> **Performance tip**: Due to various factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
 

defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md

@@ -25,8 +25,6 @@ appliesto:
 ---
 # Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 
-
-
 This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
 
 You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Using the guidance in this article, you can configure updates to download directly to your RDS or VDI environments whenever a user signs in.
@@ -55,23 +53,23 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen
 
 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select **Edit**.
 
-2. In the Group Policy Management Editor, go to **Computer configuration**.
+1. In the Group Policy Management Editor, go to **Computer configuration**.
 
-3. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+1. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
 
-4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
+1. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
 
-5. In the field, type `\\<File Server shared location\>\wdav-update`. (For help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates).)
+1. In the field, type `\\<File Server shared location\>\wdav-update`. (For help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates).)
 
-6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test.
+1. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test.
 
 ### PowerShell
 
 1. On each RDS or VDI device, use the following cmdlet to enable the feature: 
 
    `Set-MpPreference -SharedSignaturesPath \\<File Server shared location>\wdav-update`
 
-2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) 
+1. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) 
 
 ## Download and unpackage the latest updates
 
@@ -100,7 +98,7 @@ You can also set up your single server or machine to fetch the updates on behalf
 
 1. Create an SMB/CIFS file share.
 
-2. Use the following example to create a file share with the following share permissions.
+1. Use the following example to create a file share with the following share permissions.
 
    ```PowerShell
    
@@ -121,19 +119,19 @@ You can also set up your single server or machine to fetch the updates on behalf
 
 1. On the management machine, open the **Start** menu and type `Task Scheduler`. From the results, select Task Scheduler and then select **Create task...** in the side panel.
 
-2. Specify the name as `Security intelligence unpacker`. 
+1. Specify the name as `Security intelligence unpacker`. 
 
-3. On the **Trigger** tab, select **New...** > **Daily**, and select **OK**.
+1. On the **Trigger** tab, select **New...** > **Daily**, and select **OK**.
 
-4. On the **Actions** tab, select **New...**.
+1. On the **Actions** tab, select **New...**.
 
-5. Specify `PowerShell` in the **Program/Script** field. 
+1. Specify `PowerShell` in the **Program/Script** field. 
 
-6. In the **Add arguments**  field, type `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1`, and then select **OK**.
+1. In the **Add arguments**  field, type `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1`, and then select **OK**.
 
-7. Configure any other settings as appropriate.
+1. Configure any other settings as appropriate.
 
-8. Select **OK** to save the scheduled task.
+1. Select **OK** to save the scheduled task.
 
 To initiate the update manually, right-click on the task, and then select **Run**.
 
@@ -143,19 +141,19 @@ If you would prefer to do everything manually, here's what to do to replicate th
 
 1. Create a new folder on the system root called `wdav_update` to store intelligence updates. For example, create the folder `c:\wdav_update`.
 
-2. Create a subfolder under `wdav_update` with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
+1. Create a subfolder under `wdav_update` with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
 
    Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
 
    > [!NOTE]
    > We set the script so that the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
 
-3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
+1. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
 
-4. Open a Command Prompt window and navigate to the GUID folder you created. Use the `/X` extraction command to extract the files. For example `mpam-fe.exe /X`.
+1. Open a Command Prompt window and navigate to the GUID folder you created. Use the `/X` extraction command to extract the files. For example, `mpam-fe.exe /X`.
 
    > [!NOTE]
-   > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
+   > The VMs pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 
 ## Microsoft Defender Antivirus configuration settings
 
@@ -204,7 +202,7 @@ It's important to take advantage of the included threat protection capabilities
 - Enable file hash computation feature: `Enabled`
 
 > [!NOTE]
-> "Enable file hash computation feature" is only needed if using Indicators – File hash. It can cause higher amount of CPU utilization, since it has to parse thru each binary on disk to get the file hash.
+> "Enable file hash computation feature" is only needed if using Indicators – File hash. It can cause higher amount of CPU utilization, since it has to parse through each binary on disk to get the file hash.
 
 ### Real-time protection
 
@@ -237,7 +235,7 @@ It's important to take advantage of the included threat protection capabilities
 - Turn on catch-up quick scan (Disable catchup quick scan): `Not configured`
 
    > [!NOTE]
-   > If you want to harden, you could change "Turn on catch-up quick scan" to `Enabled`, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans. But since it is running a scheduled scan, it will use additional CPU.
+   > If you want to harden, you could change "Turn on catch-up quick scan" to `Enabled`, which helps when VMs are offline, and have missed two or more consecutive scheduled scans. But since it's running a scheduled scan, it uses additional CPU.
 
 - Turn on e-mail scanning: `Enabled`
 
@@ -327,12 +325,12 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist
 
 1. Open up the **Task Scheduler** mmc (`taskschd.msc`).
 
-2. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**.
+1. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**.
 
-3. Select **Run**, and let the scheduled task finish.
+1. Select **Run**, and let the scheduled task finish.
 
    > [!WARNING]
-   > If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs.
+   > If you don't do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs.
 
 ### Enable tamper protection
 

defender-endpoint/enable-controlled-folders.md

@@ -1,6 +1,6 @@
 ---
 title: Enable controlled folder access
-description: Learn how to protect your important files by enabling Controlled folder access
+description: Learn how to protect your important files by enabling Controlled folder access.
 ms.service: defender-endpoint
 ms.topic: how-to
 ms.localizationpriority: medium
@@ -37,8 +37,7 @@ You can enable controlled folder access by using any of these methods:
   - [Microsoft Configuration Manager](#microsoft-configuration-manager)
   - [Group Policy](#group-policy)
   - [PowerShell](#powershell)
-  - [See also](#see-also)
-
+  
 ## Prerequisites
 
 ### Supported operating systems
@@ -96,13 +95,13 @@ For more information about Microsoft Configuration Manager and Controlled Folder
 
 1. Expand the tree to **Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access**.
 
-1. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
+1. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
 
    - **Enable** - Malicious and suspicious apps aren't allowed to make changes to files in protected folders. A notification is provided in the Windows event log.
    - **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
    - **Audit Mode** - Changes are allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it's recorded in the Windows event log where you can assess the impact on your organization.
-   - **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
-   - **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
+   - **Block disk modification only** - Attempts by untrusted apps to write to disk sectors are logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+   - **Audit disk modification only** - Only attempts to write to protected disk sectors are recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
 
    :::image type="content" source="/defender/media/cfa-gp-enable.png" alt-text="Screenshot shows the group policy option enabled and Audit Mode selected." lightbox="/defender/media/cfa-gp-enable.png":::