Merge branch 'main' into mde-video-updates

emmwalshh · web-flow · commit dfa530cc6e0e · 2025-04-01T11:46:08.000+01:00
diff --git a/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-ngp
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 04/01/2025
 ---
 
 # Detect and block potentially unwanted applications
@@ -106,6 +106,12 @@ You can enable PUA protection with Microsoft Defender for Endpoint Security Sett
 
 At first, try using PUA protection in audit mode. It detects potentially unwanted applications without actually blocking them. Detections are captured in the Windows Event log. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and it's important to avoid false positives.
 
+| Operating systems |Potentially Unwanted Protection (PUA) by default is set to:|
+| -------- | -------- |
+|Windows 11, Windows 10, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016|Audit mode (2)|
+|Windows 11, Windows 10 + Microsoft Defender for Endpoint Plan 1 or Microsoft Defender for Endpoint Plan 2 or Microsoft Endpoint for Business|Block mode (1)|
+|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 with the unified Microsoft Defender for Endpoint client + Microsoft Defender for Servers Plan 1 or Microsoft Defender for Servers Plan 2 or Microsoft Defender for Endpoint for servers|Block mode (1)   |
+
 ### Use Microsoft Defender for Endpoint Security Settings Management to configure PUA protection
 
 See the following articles:
@@ -156,7 +162,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
 Set-MpPreference -PUAProtection Enabled
 ```
 
-Setting the value for this cmdlet to `Enabled` turns on the feature if it is disabled.
+Setting the value for this cmdlet to `Enabled` turns on the feature if it's disabled.
 
 #### To set PUA protection to audit mode
 
@@ -186,8 +192,8 @@ get-mpPreference | ft PUAProtection
 |Value | Description|
 | -------- | -------- |
 | `0` | PUA Protection off (Default).  Microsoft Defender Antivirus won't protect against potentially unwanted applications.  |
-| `1` | PUA Protection on. Detected items are blocked. They will show in history along with other threats.|
-| `2` | Audit mode. Microsoft Defender Antivirus will detect potentially unwanted applications but take no action. You can review information about the applications Windows Defender would've taken action against by searching for events created by Windows Defender in the Event Viewer.|
+| `1` | PUA Protection on. Detected items are blocked. They'll show in history along with other threats.|
+| `2` | Audit mode. Microsoft Defender Antivirus detects potentially unwanted applications but take no action. You can review information about the applications Windows Defender would've taken action against by searching for events created by Windows Defender in the Event Viewer.|
 
 For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/index).
 
diff --git a/defender-endpoint/troubleshoot-asr.md b/defender-endpoint/troubleshoot-asr.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: emmwalshh
 ms.author: ewalsh
-ms.date: 03/11/2025
+ms.date: 04/01/2025
 ms.reviewer:
 manager: deniseb
 ms.custom: asr
@@ -136,6 +136,23 @@ Use the [Microsoft Security Intelligence web-based submission form](https://www.
 
 When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues.
 
+### Using the MDE Client Analyzer
+
+1. Download the [MDE Client Analyzer](/defender-endpoint/overview-client-analyzer).
+
+2. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+
+   > [!TIP]
+   > Ensure that log collection takes place during the reproduction attempt. Also, close any applications that aren't essential to reproducing the issue.
+
+3. Run the MDE Client Analyzer with the `-v` switches:
+
+   ```powershell
+   C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd -v
+   ```
+
+### Manual process
+
 1. Open Command Prompt as an administrator and open the Windows Defender directory:
 
    ```console
diff --git a/defender-xdr/compare-rbac-roles.md b/defender-xdr/compare-rbac-roles.md
@@ -138,7 +138,7 @@ You configured protection-related Exchange Online permissions in the Exchange ad
 
 |Defender for Cloud Apps permission|Defender XDR Unified RBAC permission|
 |---|-----|
-|Local Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Security operations \ Security data \ Response (manage)</br>Security operations \ Posture management \ Secure Score (read)</br>Security operations \ Posture management \ Secure Score (manage)</br>Authorization and settings \ Authorization (all permissions) </br>Authorization and settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (all permissions)|
+|Local Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (all permissions) </br>Authorization and settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (all permissions)|
 |Local Security operator|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security setting (all permissions) </br>Authorization and settings \ System setting (read)|
 |Local Security reader|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (read) </br>Authorization and settings \ System settings (read)|
 |Local Compliance administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (read)|
