Merge branch 'main' into poliveria-custom-functions-11202025

Author: poliveria

defender-endpoint/api/run-live-response.md

@@ -69,7 +69,7 @@ Runs a sequence of live response commands on a device
 
 - 25 concurrently running sessions (requests exceeding the throttling limit receives a "429 - Too many requests" response).
 
-- If the machine isn't available, the session is queued for up to three days.
+- If the machine isn't available, the session is queued for up to 2 hours.
 
 - RunScript command time-outs after 10 minutes.
 

defender-endpoint/autoir-investigation-results.md

@@ -20,22 +20,18 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
-ms.date: 04/04/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # View the details and results of an automated investigation
 
-
 With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
 
-## (NEW!) Unified investigation page
-
-The investigation page is updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)  and [Microsoft Defender for Office 365](/defender-office-365/mdo-about).
+## Unified investigation page
 
-> [!TIP]
-> To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
+The unified investigation page includes information across your devices, email, and collaboration content. It defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](/defender-office-365/mdo-about). For more information, see [Details and results of an automated investigation](/defender-xdr/m365d-autoir-results).
 
 ## Open the investigation details view
 
@@ -69,9 +65,7 @@ Use an incident details page to view detailed information about an incident, inc
 
 ## Investigation details
 
-Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image:
-
-In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
+Use the investigation details view to see past, current, and pending activity pertaining to an investigation. In the investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
 
 > [!NOTE]
 > - The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription doesn't include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.

defender-endpoint/configure-endpoints-gp.md

@@ -36,7 +36,7 @@ Check out [Identify Defender for Endpoint architecture and deployment method](de
 
 1. Open the GP configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
 
    1. Select the operating system.
 
@@ -179,7 +179,7 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 
 1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management** > **Offboarding**.
 
    1. Select the operating system.
 

defender-endpoint/enable-attack-surface-reduction.md

@@ -345,6 +345,10 @@ Example:
    > Don't use quotes as they aren't supported for either the **Value name** column or the **Value** column.
    > The rule ID shouldn't have any leading or trailing spaces.
 
+> [!NOTE]
+> Microsoft rebranded Windows Defender Antivirus to Microsoft Defender Antivirus beginning with Windows 10 version 20H1.
+> Group Policy paths on earlier Windows versions may still reference Windows Defender Antivirus, while newer builds show Microsoft Defender Antivirus. Both names refer to the same policy location.
+
 ### PowerShell
 
 > [!WARNING]

defender-endpoint/linux-install-with-defender-deployment-tool.md

@@ -95,21 +95,21 @@ The Defender deployment tool enforces the following set of prerequisites checks,
 
    :::image type="content" source="./media/linux-install-with-defender-deployment-tool/deployment-tool-help.png" alt-text="Screenshot showing the help command output." lightbox="./media/linux-install-with-defender-deployment-tool/deployment-tool-help.png":::
 
-The following table provides examples of commands for useful scenarios.
-
-| **Scenario** | **Command** |
-|:-------------|:------------|
-| Check for unmet non-blocking prerequisites | `sudo ./defender_deployment_tool.sh --pre-req-non-blocking` |
-| Run the connectivity test | `sudo ./defender_deployment_tool.sh --connectivity-test` |
-| Deploy to a custom location | `sudo ./defender_deployment_tool.sh --install-path /usr/microsoft/` |
-| Deploy from the insider-slow channel | `sudo ./defender_deployment_tool.sh --channel insiders-slow` |
-| Deploy using a proxy | `sudo ./defender_deployment_tool.sh --http-proxy <http://username:password@proxy_host:proxy_port>` |
-| Deploy a specific agent version | `sudo ./defender_deployment_tool.sh --mdatp 101.25042.0003 --channel prod` |
-| Upgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --upgrade --mdatp 101.24082.0004` |
-| Downgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --downgrade --mdatp 101.24082.0004` |
-| Uninstall Defender | `sudo ./defender_deployment_tool.sh --remove` |
-| Only onboard if Defender is already installed | `sudo ./defender_deployment_tool.sh --only-onboard` |
-| Offboard Defender | `sudo ./defender_deployment_tool.sh --offboard MicrosoftDefenderATPOffboardingLinuxServer.py`<br>*(Note: The latest offboarding file can be downloaded from the Microsoft Defender portal)* |
+   The following table provides examples of commands for useful scenarios.
+    
+   | **Scenario** | **Command** |
+   |:-------------|:------------|
+   | Check for unmet non-blocking prerequisites | `sudo ./defender_deployment_tool.sh --pre-req-non-blocking` |
+   | Run the connectivity test | `sudo ./defender_deployment_tool.sh --connectivity-test` |
+   | Deploy to a custom location | `sudo ./defender_deployment_tool.sh --install-path /usr/microsoft/` |
+   | Deploy from the insider-slow channel | `sudo ./defender_deployment_tool.sh --channel insiders-slow` |
+   | Deploy using a proxy | `sudo ./defender_deployment_tool.sh --http-proxy <http://username:password@proxy_host:proxy_port>` |
+   | Deploy a specific agent version | `sudo ./defender_deployment_tool.sh --mdatp 101.25042.0003 --channel prod` |
+   | Upgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --upgrade --mdatp 101.24082.0004` |
+   | Downgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --downgrade --mdatp 101.24082.0004` |
+   | Uninstall Defender | `sudo ./defender_deployment_tool.sh --remove` |
+   | Only onboard if Defender is already installed | `sudo ./defender_deployment_tool.sh --only-onboard` |
+   | Offboard Defender | `sudo ./defender_deployment_tool.sh --offboard MicrosoftDefenderATPOffboardingLinuxServer.py`<br>*(Note: The latest offboarding file can be downloaded from the Microsoft Defender portal)* |
 
 ## Verify deployment status
 
@@ -204,11 +204,11 @@ Defender for Endpoint on Linux can be deployed from one of the following channel
 - insiders-slow
 - prod (production)
 
-Each of these channels corresponds to a Linux software repository. The channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first to receive updates and new features, followed later by insiders-slow and lastly by prod.
+Each of these channels corresponds to a Linux software repository. The channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first to receive updates and new features, followed later by insiders-slow and lastly by prod.
 
 By default, the deployment tool configures your device to use the prod channel. You can use the configuration options described in this document to deploy from a different channel.
 
-To preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow. If you've already deployed Defender for Endpoint on Linux from a channel and want to switch to a different channel (from prod to insiders-fast, for example), you must first remove the current channel, then delete the current channel repo, and then finally install Defender from the new channel, as illustrated in the following example, where the channel is changed from insiders-fast to prod:
+To preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow. If you've already deployed Defender for Endpoint on Linux from a channel and want to switch to a different channel (from prod to insiders-fast, for example), you must first remove the current channel, then delete the current channel repo, and then finally install Defender from the new channel, as illustrated in the following example, where the channel is changed from insiders-fast to prod:
 
 1. Remove the insiders-fast channel version of Defender for Endpoint on Linux..
 
@@ -225,7 +225,7 @@ To preview new features and provide early feedback, it's recommended that you co
 1. Install Microsoft Defender for Endpoint on Linux using the production channel.
 
    ```bash
-   sudo ./defender_deployment_tool.sh --install --channel prod
+   sudo ./defender_deployment_tool.sh --channel prod
    ```
 
 ## Related content

defender-endpoint/media/atp-time-zone-menu.png

@@ -37,7 +37,7 @@ If you're onboarding devices in the Microsoft Defender portal, follow these step
 
 1. Make sure to review the [Minimum requirements for Defender for Endpoint](minimum-requirements.md).
 
-2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
+2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
 
    :::image type="content" source="media/mde-device-onboarding-ui.png" alt-text="Screenshot showing device onboarding in the Microsoft Defender portal for Defender for Endpoint.":::
 

defender-endpoint/media/atp-time-zone.png

@@ -23,7 +23,7 @@ appliesto:
 # Configure general Defender for Endpoint settings
 
 
-Use the **Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
+Use the **System > Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 
 ## In this section
 

defender-endpoint/onboarding.md

@@ -1,9 +1,9 @@
 ---
 title: Microsoft Defender XDR time zone settings
-description: Use the info contained here to configure the Microsoft Defender XDR time zone settings and view license information.
+description: Use the info contained here to configure the Microsoft Defender XDR time zone settings.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: article
 ms.subservice: reference
 search.appverid: met150
-ms.date: 05/05/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -22,9 +22,7 @@ appliesto:
 # Microsoft Defender XDR time zone settings
 
 
-This article describes time zone settings and options. You can use **Time zone** menu to configure the time zone and view license information.
-
-:::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-1" lightbox="media/atp-time-zone.png":::
+This article describes how to configure time zone settings and options.
 
 > [!NOTE]
 > Changing the time zone setting in the [Microsoft Defender portal](https://security.microsoft.com) only affects how times are displayed. It doesn't affect the actual scheduling of operations, such as antivirus scans, which continue to follow the local system time or UTC settings, depending on how they're configured.
@@ -33,10 +31,6 @@ This article describes time zone settings and options. You can use **Time zone**
 
 The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It's important that your system reflects the correct time zone settings. Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
 
-Your current time zone setting is shown in the **Timezone** menu in the Microsoft Defender portal.
-
-:::image type="content" source="media/atp-time-zone-menu.png" alt-text="The Time zone settings-2" lightbox="media/atp-time-zone-menu.png":::
-
 ### UTC time zone
 
 Defender for Endpoint uses UTC time by default. Keeping this time zone displays all system timestamps (alerts, events, and others) in UTC for all users. This configuration can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
@@ -55,13 +49,9 @@ The Defender for Endpoint time zone is set by default to UTC. Setting the time z
 
 To set the time zone:
 
-1. Select the **Time zone** menu.
-
-   :::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="media/atp-time-zone.png":::
-
-2. Select the **Timezone UTC** indicator.
+1. In the Microsoft Defender portal, go to **System** > **Settings** > **Microsoft Defender portal** > **Time zone**.
 
-3. Select **Timezone UTC** or your local time zone, for example `-7:00`.
+1. In the **Time zone** drop down menu, select either UTC or your local time zone.
 
 ### Regional settings