Merge branch 'main' into deniseb-portal

denisebmsft · denisebmsft · commit d1e039915fa9 · 2025-03-18T12:56:42.000-07:00
diff --git a/defender-endpoint/configure-server-endpoints.md b/defender-endpoint/configure-server-endpoints.md
diff --git a/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md b/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
@@ -9,7 +9,7 @@ ms.author: ewalsh
 ms.reviewer: pahuijbr
 manager: deniseb
 ms.topic: conceptual
-ms.date: 03/14/2025
+ms.date: 03/18/2025
 ms.collection: 
 - m365-security
 - tier2
@@ -52,7 +52,7 @@ The process of setting up and running Microsoft Defender Antivirus on Windows Se
 ## Enable the user interface on Windows Server
 
 > [!IMPORTANT]
-> If you're using Windows Server 2012 R2, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).
+> If you're using Windows Server 2012 R2, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-defender-for-endpoint-packages).
 
 By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default. The GUI isn't required; you can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus. However, many organizations prefer to use the GUI for Microsoft Defender Antivirus. To install the GUI, use one of the procedures in the following table:
 
@@ -188,7 +188,7 @@ For more information, see [Working with Registry Keys](/powershell/scripting/sam
 
 If your Windows Server is onboarded to Microsoft Defender for Endpoint, you can run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and Windows Server 2016. See the following articles:
 
-- [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages)
+- [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-defender-for-endpoint-packages)
 
 - [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md)
 
diff --git a/defender-endpoint/offboard-machines.md b/defender-endpoint/offboard-machines.md
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 03/14/2025
+ms.date: 03/17/2025
 ---
 
 # Offboard devices
@@ -23,12 +23,12 @@ ms.date: 03/14/2025
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md)
-- Microsoft Defender for Endpoint for servers
-- [Microsoft Defender for Servers Plan 1 and Plan 2](/azure/defender-for-cloud/integration-defender-for-endpoint)
-- [Microsoft Defender for Business](/defender-business/get-defender-business)
-- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Endpoint Plan 1 and 2
+- Microsoft Defender for Endpoint for servers Plan 1 or Plan 2
+- Microsoft Defender for Servers Plan 1 or Plan 2
+- Microsoft Defender for Business
+- Microsoft Defender Vulnerability Management
+- Microsoft Defender XDR
 
 **Platforms**
 
@@ -38,8 +38,8 @@ ms.date: 03/14/2025
 - Windows Server 2019
 - Windows Server 2016
 - Windows Server 2012 R2
-- Mac
-- Linux Server
+- Mac devices
+- Linux servers
 
 When you offboard a device from Defender for Endpoint, no new detections, vulnerability, or security data are sent to the Microsoft Defender portal. Seven days after offboarding a device, its status changes to [inactive](/defender-endpoint/fix-unhealthy-sensors#inactive-devices). Devices that weren't active within the past 30 days are not factored into your organization's [exposure score](/defender-vulnerability-management/tvm-exposure-score).
 
diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md
@@ -17,7 +17,7 @@ search.appverid: met150
 ms.date: 03/17/2025
 ---
 
-# Onboard servers through Microsoft Defender for Endpoint's device onboarding experience
+# Onboard servers through Microsoft Defender for Endpoint's onboarding experience
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
diff --git a/defender-endpoint/server-migration.md b/defender-endpoint/server-migration.md
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 author: denisebmsft
 ms.author: deniseb
 ms.localizationpriority: medium
-ms.date: 09/19/2022
+ms.date: 03/18/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -27,14 +27,14 @@ ms.subservice: onboard
 - Microsoft Defender for Servers Plan 1 or Plan 2
 
 > [!NOTE]
-> Always ensure the operating system, and Microsoft Defender Antivirus on Windows Server 2016, are fully updated before proceeding with installation or upgrade. To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update [KB5005292](https://go.microsoft.com/fwlink/?linkid=2168277) gets applied or approved after installation. In addition, to keep protection components updated, please reference [Manage Microsoft Defender Antivirus updates and apply baselines](/defender-endpoint/microsoft-defender-antivirus-updates/#platform-and-engine-releases).
+> On Windows Server 2016, always ensure the operating system and Microsoft Defender Antivirus are fully updated before proceeding with installation or upgrade. To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update [KB5005292](https://go.microsoft.com/fwlink/?linkid=2168277) gets applied or approved after installation. In addition, to keep protection components updated, please reference [Manage Microsoft Defender Antivirus updates and apply baselines](/defender-endpoint/microsoft-defender-antivirus-updates/#platform-and-engine-releases).
 
-These instructions apply to the new unified solution and installer (MSI) package of Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
+These instructions apply to the new unified solution and installer (MSI) package of Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
 
 **If you are using Microsoft Defender for Cloud to perform deployment, you can automate installation and upgrade. See [Defender for Servers Plan 2 now integrates with MDE unified solution](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)**
 
 > [!NOTE]
-> Operating system upgrades with Microsoft Defender for Endpoint installed aren't supported. Offboard and uninstall, upgrade the operating system, then proceed with installation.
+> Operating system upgrades with Defender for Endpoint installed aren't supported. Offboard, uninstall, upgrade the operating system, and then proceed with installation.
 
 ## Installer script
 
@@ -43,60 +43,77 @@ These instructions apply to the new unified solution and installer (MSI) package
 
 To facilitate upgrades when Microsoft Endpoint Configuration Manager isn't yet available or updated to perform the automated upgrade, you can use this [upgrade script](https://github.com/microsoft/mdefordownlevelserver/archive/refs/heads/main.zip). Download it by selection the "Code" button and downloading the .zip file, then extracting install.ps1. It can help automate the following required steps:
 
-1. Remove the OMS workspace for Microsoft Defender for Endpoint (OPTIONAL).
+1. Remove the OMS workspace for Defender for Endpoint (OPTIONAL).
+
 2. Remove System Center Endpoint Protection (SCEP) client if installed.
+
 3. Download and install [prerequisites](configure-server-endpoints.md#prerequisites) if necessary.
-4. Enable and update the Defender Antivirus feature on Windows Server 2016
-5. Install Microsoft Defender for Endpoint.
-6. Apply the onboarding script **for use with Group Policy** downloaded from [Microsoft Defender XDR](https://security.microsoft.com).
 
-To use the script, download it to an installation directory where you have also placed the installation and onboarding packages (see [Configure server endpoints](configure-server-endpoints.md)).
+4. Enable and update the Microsoft Defender Antivirus feature on Windows Server 2016.
+
+5. Install Defender for Endpoint.
 
-EXAMPLE: .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd"
+6. Apply the onboarding script **for use with Group Policy** downloaded from the [Microsoft Defender portal](https://security.microsoft.com).
 
-For more information on how to use the script, use the PowerShell command "get-help .\install.ps1".
+   To use the script, download it to an installation directory where you have also placed the installation and onboarding packages (see [Configure server endpoints](configure-server-endpoints.md)).
+
+   EXAMPLE: `.\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd"`
+
+For more information on how to use the script, use the PowerShell command `get-help .\install.ps1`.
 
 ## Microsoft Endpoint Configuration Manager migration scenarios
 
 > [!NOTE]
-> You'll need Microsoft Endpoint Configuration Manager, version 2107 or later to perform Endpoint Protection policy configuration. From [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016) deployment and upgrades can be fully automated.
+> You'll need Configuration Manager, version 2107 or later to perform Endpoint Protection policy configuration. From [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016) deployment and upgrades can be fully automated.
 
-For instructions on how to migrate using Microsoft Endpoint Configuration Manager older than version 2207, see [Migrating servers from Microsoft Monitoring Agent to the unified solution.](application-deployment-via-mecm.md)
+For instructions on how to migrate using Configuration Manager older than version 2207, see [Migrating servers from Microsoft Monitoring Agent to the unified solution.](application-deployment-via-mecm.md)
 
 ## If you are running a non-Microsoft antivirus solution
 
 1. Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016) ensuring [prerequisites](configure-server-endpoints.md#prerequisites) have been met. For more information on the prerequisites that have to be met, see [Prerequisites for Windows Server 2016](configure-server-endpoints.md#prerequisites-for-windows-server-2016-and-windows-server-2012-r2).
-2. Ensure third-party antivirus management no longer pushes antivirus agents to these machines.*
-3. Author your policies for the protection capabilities in Microsoft Defender for Endpoint and target those to the machine in the tool of your choice.
-4. Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 and 2016 package and **enable passive mode**. See [Install Microsoft Defender Antivirus using command line](configure-server-endpoints.md#install-microsoft-defender-for-endpoint-using-the-command-line).
-   a. Apply the onboarding script **for use with Group Policy** downloaded from [Microsoft Defender XDR](https://security.microsoft.com).
-5. Apply updates.
-6. Remove your non-Microsoft antivirus software by either using the non-Microsoft antivirus console or by using Microsoft Endpoint Configuration Manager as
-appropriate. Make sure to remove passive mode configuration.*
 
-> [!TIP]
-> You can use the [installer-script](server-migration.md#installer script) as part of your application to automate the above steps. To enable passive mode, apply the -Passive flag. For example, .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd" -Passive
+2. Ensure your non-Microsoft antivirus management solution no longer pushes antivirus agents to these machines.
 
-*These steps only apply if you intend to replace your non-Microsoft antivirus solution. See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md).
+3. Author your policies for the protection capabilities in Defender for Endpoint and target those to the machine in the tool of your choice.
+
+4. Install the Defender for Endpoint package for Windows Server 2012 R2 and Windows Server 2016, and set it to passive mode. 
+
+   See [Install Microsoft Defender Antivirus using command line](configure-server-endpoints.md#install-defender-for-endpoint-using-the-command-line).
+
+5. Apply the onboarding script **for use with Group Policy** downloaded from the [Microsoft Defender portal](https://security.microsoft.com).
+
+6. Apply updates.
 
-To move a machine out of passive mode, set the following key to 0:
+7. Remove your non-Microsoft antivirus software by either using the non-Microsoft antivirus console or by using Configuration Manager as appropriate. Make sure to remove passive mode configuration.
 
-Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-Name: ForceDefenderPassiveMode
-Type: REG_DWORD
-Value: 0
+   To move a machine out of passive mode, set the following key:
 
-## If you are running System Center Endpoint Protection but aren't managing the machine using Microsoft Endpoint Configuration Manager (MECM/ConfigMgr)
+   Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+   Name: `ForceDefenderPassiveMode`
+   Type: `REG_DWORD`
+   Value: `0`
+
+> [!TIP]
+> You can use the [installer-script](server-migration.md#installer script) as part of your application to automate the above steps. To enable passive mode, apply the -Passive flag. For example, `.\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd" -Passive`.
+
+In the preceding procedure, steps 2 and 7 apply only if you intend to replace your non-Microsoft antivirus solution. See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md).
+
+## If you are running System Center Endpoint Protection but aren't managing the machine using Configuration Manager (MECM/ConfigMgr)
 
 1. Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016) ensuring [prerequisites](configure-server-endpoints.md#prerequisites) have been met.
-2. Create and apply policies using Group Policy, PowerShell, or a 3rd party management solution.
+
+2. Create and apply policies using Group Policy, PowerShell, or a non-Microsoft management solution.
+
 3. Uninstall System Center Endpoint Protection (Windows Server 2012 R2).
+
 4. Install Microsoft Defender for Endpoint (see [Configure server endpoints](configure-server-endpoints.md).)
-5. Apply the onboarding script **for use with Group Policy** downloaded from [Microsoft Defender XDR](https://security.microsoft.com).
+
+5. Apply the onboarding script **for use with Group Policy** downloaded from the [Microsoft Defender portal](https://security.microsoft.com).
+
 6. Apply updates.
 
 > [!TIP]
-> You can use the installer script to automate the above steps.
+> You can use the installer script to automate the steps in the preceding procedure.
 
 ## Microsoft Defender for Cloud scenarios
 
@@ -107,4 +124,5 @@ If you're using Microsoft Defender for Cloud, you can use the automated upgrade
 ## Group Policy configuration
 
 For configuration using Group Policy, ensure you're using the latest ADMX files in your central store to access the correct Defender for Endpoint policy options. For reference, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files **for use with Windows 10**.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/switch-to-mde-phase-2.md b/defender-endpoint/switch-to-mde-phase-2.md
@@ -6,7 +6,7 @@ ms.subservice: onboard
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 09/13/2024
+ms.date: 03/17/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -61,7 +61,7 @@ As you're making the switch to Defender for Endpoint, you might need to take cer
 ### Set Microsoft Defender Antivirus to passive mode on Windows Server
 
 > [!TIP]
-> You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).
+> You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-defender-for-endpoint-packages).
 
 1. Open Registry Editor, and then navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
 
@@ -78,7 +78,7 @@ If Microsoft Defender Antivirus features and installation files were previously
 
 ### Are you using Windows Server 2012 R2 or Windows Server 2016?
 
-You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016 using the method described in the previous section. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).
+You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016 using the method described in the previous section. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-defender-for-endpoint-packages).
 
 ## Step 2: Configure Defender for Endpoint Plan 1 or Plan 2
 
