diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
index 83e94cbd17..7b65dc9ade 100644
--- a/defender-endpoint/TOC.yml
+++ b/defender-endpoint/TOC.yml
@@ -791,6 +791,12 @@
         href: microsoft-defender-endpoint-antivirus-performance-mode.md
       - name: Compatibility with other security products
         href: microsoft-defender-antivirus-compatibility.md
+      - name: Microsoft Defender Antivirus and third-party antivirus solutions without
+          Defender for Endpoint
+        href: defender-antivirus-compatibility-without-mde.md
+        displayName: Microsoft Defender Antivirus and non-Microsoft
+          antivirus/antimalware solutions, Antivirus protection without Defender for
+          Endpoint
       - name: Find malware detection names for Microsoft Defender for Endpoint
         href: find-defender-malware-name.md
 
diff --git a/defender-endpoint/configure-endpoints-vdi.md b/defender-endpoint/configure-endpoints-vdi.md
index 64547e18b6..26fcbff881 100644
--- a/defender-endpoint/configure-endpoints-vdi.md
+++ b/defender-endpoint/configure-endpoints-vdi.md
@@ -1,11 +1,11 @@
 ---
 title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
-description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender for Endpoint service.
+description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they're onboarded to Microsoft Defender for Endpoint service.
 search.appverid: met150
 ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
-ms.reviewer: pahuijbr
+ms.reviewer: pahuijbr; yonghree
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -14,19 +14,12 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 09/21/2023
+ms.date: 12/30/2024
 ms.subservice: onboard
 ---
 
 # Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
 
-Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduce cost as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser.
-
-Like any other system in an IT environment, these too should have an Endpoint Detection and Response (EDR) and Antivirus solution to protect against advanced threats and attacks.
-
-
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
@@ -38,26 +31,26 @@ Like any other system in an IT environment, these too should have an Endpoint De
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configvdi-abovefoldlink)
 
- > [!NOTE]
-  > **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information see [Onboarding Windows client](onboard-windows-client.md).
+Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduces costs, as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser. 
+
+Like any other system in an IT environment, VDI devices should have an endpoint detection and response (EDR) and antivirus solution to protect against advanced threats and attacks.
+
+> [!NOTE]
+> **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information, see [Onboarding Windows client](onboard-windows-client.md).
 
 ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices
 
-Defender for Endpoint supports non-persistent VDI session onboarding.
+Defender for Endpoint supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario:
 
-There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario:
+- Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint before actual provisioning.
 
-- Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
 - The device name is typically reused for new sessions.
 
-In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft Defender portal as either single entries for each VDI instance or multiple entries for each device. 
-
-- Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal. 
+- In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft Defender portal as either single entries for each VDI instance or multiple entries for each device. 
 
-  > [!NOTE]
-  > In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
+   - Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal. In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
 
-- Multiple entries for each device - one for each VDI instance.
+   - Multiple entries for each device - one for each VDI instance.
 
 > [!IMPORTANT]
 > If you're deploying non-persistent VDIs through cloning technology, make sure that your internal template VMs are not onboarded to Defender for Endpoint. This recommendation is to avoid cloned VMs from being onboarded with the same senseGuid as your template VMs, which could prevent VMs from showing up as new entries in the Devices list. 
@@ -72,7 +65,7 @@ The following steps guide you through onboarding VDI devices and highlight steps
 > [!NOTE]
 > Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying the installation package first using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work.
 
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Open the VDI configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139).
 
     1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
 
@@ -80,16 +73,16 @@ The following steps guide you through onboarding VDI devices and highlight steps
 
     3.  In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
 
-    4. Click **Download package** and save the .zip file.
+    4. Select **Download package** and save the file.
 
-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+2. Copy the files from the `WindowsDefenderATPOnboardingPackage` folder extracted from the zipped folder into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
 
-    1. If you are implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.
+    - If you're implementing multiple entries for each device - one for each session, copy `WindowsDefenderATPOnboardingScript.cmd`.
 
-    2. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
+    - If you're implementing a single entry for each device, copy both `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd`.
 
-    > [!NOTE]
-    > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
+   > [!NOTE]
+   > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
 
 3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** \> **Windows Settings** \> **Scripts** \> **Startup**.
 
@@ -98,30 +91,27 @@ The following steps guide you through onboarding VDI devices and highlight steps
 
 4. Depending on the method you'd like to implement, follow the appropriate steps:
 
-    - For single entry for each device:
-
-         Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it is triggered automatically.
-
-    - For multiple entries for each device:
-
-         Select the **Scripts** tab, then click **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+   | Method | Steps |
+   |---|---|
+   | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it's triggered automatically. |
+   | Multiple entries for each device | 1. Select the **Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. |
 
-5. Test your solution:
+5. Test your solution by following these steps:
 
    1. Create a pool with one device.
 
-   2. Log on to device.
+   2. Sign into device.
    
-   3. Log off from device.
+   3. Sign out on the device.
    
-   4. Log on to device with another user.
+   4. Sign into the device using another account.
    
    5. Depending on the method you'd like to implement, follow the appropriate steps:
    
-      - For single entry for each device: Check only one entry in Microsoft Defender portal.
-      - For multiple entries for each device: Check multiple entries in Microsoft Defender portal.
+      - For single entry for each device: Check for only one entry in the [Microsoft Defender portal](https://security.microsoft.com).
+      - For multiple entries for each device: Check multiple entries in the [Microsoft Defender portal](https://security.microsoft.com).
 
-6. Click **Devices list** on the Navigation pane.
+6. In the navigation pane, select **Devices list**.
 
 7. Use the search function by entering the device name and select **Device** as search type.
 
@@ -130,20 +120,24 @@ The following steps guide you through onboarding VDI devices and highlight steps
 > [!NOTE]
 > These instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at [Server migration scenarios in Microsoft Defender for Endpoint](server-migration.md).
 
-The following registry is relevant only when the aim is to achieve a 'Single entry for each device'.
+The following registry is relevant only when the aim is to achieve a single entry for each device.
 
-1. Set registry value to:
+1. Set the registry value as follows:
+
+   ```console
 
-    ```console
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging]
     "VDI"="NonPersistent"
-    ```
 
-    or using command line:
+   ```
+
+   Or, you can use command line as follows:
+
+   ```console
+
+   reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f
 
-    ```console
-    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f
-    ```
+   ```
 
 2. Follow the [server onboarding process](configure-server-endpoints.md). 
 
@@ -154,27 +148,32 @@ With the ability to easily deploy updates to VMs running in VDIs, we've shortene
 If you have onboarded the primary image of your VDI environment (SENSE service is running), then you must offboard and clear some data before putting the image back into production.
 
 1. [Offboard the machine](offboard-machines.md).
+
 2. Ensure the sensor is stopped by running the following command in a CMD window:
 
    ```console
+
    sc query sense
+
    ```
 
 3. Run the following commands in a CMD window::
 
    ```console
+
    del "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber\*.*" /f /s /q
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v 7DC0B629-D7F6-4DB3-9BF7-64D5AAF50F1A /f
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\48A68F11-7A16-4180-B32C-7F974C7BD783" /f
    exit
+
    ```
 
 ### Are you using a third party for VDIs?
 
-If you're deploying non-persistent VDIs through VMware instant cloning or similar technologies, make sure that your internal template VMs and replica VMs are not onboarded to Defender for Endpoint. If you onboard devices using the single entry method, instant clones that are provisioned from onboarded VMs might have the same senseGuid, and that can stop a new entry from being listed in the Device Inventory view (in the [Microsoft Defender portal](https://security.microsoft.com), choose **Assets** > **Devices**).
+If you're deploying non-persistent VDIs through VMware instant cloning or similar technologies, make sure that your internal template VMs and replica VMs aren't onboarded to Defender for Endpoint. If you onboard devices using the single entry method, instant clones that are provisioned from onboarded VMs might have the same senseGuid, and that can stop a new entry from being listed in the Device Inventory view (in the [Microsoft Defender portal](https://security.microsoft.com), choose **Assets** > **Devices**).
 
-If either the primary image, template VM, or replica VM are onboarded to Defender for Endpoint using the single entry method, it will stop Defender from creating entries for new non-persistent VDIs in the Microsoft Defender portal.
+If either the primary image, template VM, or replica VM are onboarded to Defender for Endpoint using the single entry method, it stops Defender for Endpoint from creating entries for new non-persistent VDIs in the Microsoft Defender portal.
 
 Reach out to your third-party vendors for further assistance.
 
@@ -184,73 +183,9 @@ After onboarding devices to the service, it's important to take advantage of the
 
 ### Next generation protection configuration
 
-The following configuration settings are recommended:
-
-#### Cloud Protection Service
-
-- Turn on cloud-delivered protection: Yes
-- Cloud-delivered protection level: Not configured
-- Defender Cloud Extended Timeout In Seconds: 20
-
-#### Exclusions
-
-- Please review the FXLogix antivirus exclusion recommendations here: [Prerequisites for FSLogix](/fslogix/overview-prerequisites#file--folder-exclusions).
-
-#### Real-time Protection
-
-- Turn on all settings and set to monitor all files
-
-#### Remediation
-
-- Number of days to keep quarantined malware: 30
-- Submit samples consent: Send all samples automatically
-- Action to take on potentially unwanted apps: Enable
-- Actions for detected threats:
-  - Low threat: Clean
-  - Moderate threat, High threat, Severe threat: Quarantine
-
-#### Scan
-
-- Scan archived files: Yes
-- Use low CPU priority for scheduled scans: Not configured
-- Disable catch-up full scan: Not configured
-- Disable catchup quick scan: Not configured
-- CPU usage limit per scan: 50
-- Scan mapped network drives during full scan: Not configured
-- Run daily quick scan at: 12 PM
-- Scan type: Not configured
-- Day of week to run scheduled scan: Not configured
-- Time of day to run a scheduled scan: Not configured
-- Check for signature updates before running scan: Yes
-
-#### Updates
-
-- Enter how often to check for security intelligence updates: 8
-- Leave other settings in default state
-
-#### User experience
-
-- Allow user access to Microsoft Defender app: Not configured
-
-#### Enable Tamper protection
-
-- Enable tamper protection to prevent Microsoft Defender being disabled: Enable
-
-#### Attack surface reduction
-
-- Enable network protection: Test mode
-- Require SmartScreen for Microsoft Edge: Yes
-- Block malicious site access: Yes
-- Block unverified file download: Yes
-
-#### Attack surface reduction rules
-
-- Configure all available rules to Audit.
-
-> [!NOTE]
-> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
+The configuration settings in this link are recommended: [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
 
-## Related topics
+## Related articles
 
 - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md)
 - [Onboard Windows devices using Microsoft Configuration Manager](configure-endpoints-sccm.md)
diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md
new file mode 100644
index 0000000000..df7cde5905
--- /dev/null
+++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md
@@ -0,0 +1,115 @@
+---
+title: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint
+description: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint
+author: denisebmsft
+ms.author: deniseb
+ms.reviewer: yongrhee
+ms.service: defender-endpoint
+ms.topic: conceptual
+ms.date: 12/30/2024
+ms.subservice: ngp
+search.appverid: met150
+ms.localizationpriority: medium
+
+---
+
+# Microsoft Defender Antivirus and non-Microsoft antivirus solutions without Defender for Endpoint
+
+**Applies to**:
+
+- [Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md)
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+- Microsoft Defender Antivirus
+
+This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint.
+
+Microsoft Defender Antivirus doesn't run in passive mode on devices that aren't onboarded to Defender for Endpoint.
+
+The following table summarizes what to expect:
+
+| Windows version |Primary antivirus/antimalware solution|Microsoft Defender Antivirus state|
+| -------- | -------- | -------- |
+|Windows 11 and Windows 10   |Microsoft Defender Antivirus|Active mode|
+|Windows 11 and Windows 10|A non-Microsoft antivirus solution|Disabled mode (happens automatically).|
+|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016|Microsoft Defender Antivirus|Active mode|
+|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016|A non-Microsoft antivirus solution|Disabled (set manually; see the note that follows this table)|
+
+> [!NOTE]
+> On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See **[Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](/defender-endpoint/enable-update-mdav-to-latest-ws)**.
+
+Check the services and filter drivers for Microsoft Defender Antivirus by using the following command:
+
+```powershell
+
+gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name, StartType, Status
+
+```
+
+|Display Name|Name|StartType|Status when Microsoft Defender Antivirus is enabled| Status when Microsoft Defender Antivirus is disabled| Comments |
+| -------- | -------- | -------- | -------- | -------- | -------- |
+|Microsoft Defender Antivirus Boot Driver |`WdBoot`|Boot |Stopped (`0x0 Boot_start`)| Stopped (`0x3 Demand_start`)|It's normal to be stopped after boot. |
+|Microsoft Defender Antivirus Mini-Filter Driver|`WdFilter`|Manual |Running (`0x0 Boot_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Network Inspection System Driver |`WdNisDrv`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Network Inspection Service |`WdNisSvc`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Service|`WinDefend`|Automatic|Running (`0x2 Auto_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped.|
+
+### Frequently Asked Questions (FAQ)
+
+Q: Can I update Microsoft Defender Antivirus components such as "Security intelligence update" or "Engine update" "Platform update" when Microsoft Defender Antivirus is disabled?
+
+A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers aren't running, you won't be able to update the components such as "Security intelligence update" or "Engine update" "Platform update".
+
+> [!TIP]
+> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus goes into passive mode automatically on Windows clients, and can be set to passive mode using a registry key on Windows Server. You can update the different components of Microsoft Defender Antivirus.
+
+Q: Can I manually change the start type of the services and drivers for Microsoft Defender Antivirus?
+
+A: We don't support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by registering your non-Microsoft antivirus in Windows Security (WSC) API. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator): 
+
+```powershell
+
+Uninstall-WindowsFeature Windows-Defender
+
+```
+
+Q: Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint?
+
+A: No. Passive mode is functionality in Microsoft Defender for Endpoint Plan 2.
+
+Q: Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Microsoft Defender for Endpoint?
+
+A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint Plan 2.
+
+Q: Can I use indicators, such as file hashes, IP addresses, URLs, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license?
+
+A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1).
+
+## See also
+
+- [Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus](/defender-endpoint/mde-security-settings-management)
+
+- [Microsoft Intune securely manages identities, manages apps, and manages devices](/mem/intune/fundamentals/what-is-intune)
+
+  - [Defender CSP](/windows/client-management/mdm/defender-csp)
+  
+  - [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender)
+  
+- [How to create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies)
+
+- [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/defender-endpoint/use-group-policy-microsoft-defender-antivirus)
+
+- [Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus)
+
+- [Exclusions overview](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions)
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](/defender-endpoint/defender-endpoint-false-positives-negatives)
+
+- [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+
+- [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows)
+
+- [Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)
+
+> [!TIP]
+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: **[Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP)**. 
+
diff --git a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
index 848656da72..db62cd2141 100644
--- a/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
+++ b/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
@@ -2,7 +2,7 @@
 title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.
 ms.localizationpriority: medium
-ms.date: 10/28/2024
+ms.date: 12/30/2024
 ms.topic: conceptual
 author: denisebmsft
 ms.author: deniseb
@@ -31,19 +31,16 @@ search.appverid: met150
 
 - Windows
 
-This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), also go through [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
+This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
 
-You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Following the guidance in this article, you can configure updates to download directly to your RDS or VDI environments when a user signs in.
+You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Using the guidance in this article, you can configure updates to download directly to your RDS or VDI environments whenever a user signs in.
 
 This guide describes how to configure Microsoft Defender Antivirus on your VMs for optimal protection and performance, including how to:
 
 - [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share-for-security-intelligence)
-- [Randomize scheduled scans](#randomize-scheduled-scans)
-- [Use quick scans](#use-quick-scans)
-- [Prevent notifications](#prevent-notifications)
-- [Disable scans from occurring after every update](#disable-scans-after-an-update)
-- [Scan out-of-date machines or machines that were offline for a while](#scan-vms-that-have-been-offline)
-- [Apply exclusions](#exclusions)
+- [Download and unpackage the latest updates](#download-and-unpackage-the-latest-updates)
+- [Configure Microsoft Defender Antivirus settings](#microsoft-defender-antivirus-configuration-settings)
+- [Run the Windows Defender Cache Maintenance scheduled task](#run-the-windows-defender-cache-maintenance-scheduled-task)
 
 > [!IMPORTANT]
 > Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016, virtual machines (VMs) should be running Windows 10, version 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
@@ -60,11 +57,9 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen
 
 3. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
 
-4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. 
+4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
 
-   A field automatically appears.
-
-5. Enter `\\<Windows File Server shared location\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
+5. In the field, type `\\<File Server shared location\>\wdav-update`. (For help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates).)
 
 6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test.
 
@@ -72,15 +67,16 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen
 
 1. On each RDS or VDI device, use the following cmdlet to enable the feature: 
 
-   `Set-MpPreference -SharedSignaturesPath \\<Windows File Server shared location>\wdav-update`
+   `Set-MpPreference -SharedSignaturesPath \\<File Server shared location>\wdav-update`
    
 2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) 
 
 ## Download and unpackage the latest updates
 
-Now you can get started on downloading and installing new updates. We've created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
+Now you can get started on downloading and installing new updates. This section contains a sample PowerShell script that you can use. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task. Or, if you're familiar with using PowerShell scripts in Azure, Intune, or Configuration Manager, you could use those scripts instead.
 
 ```PowerShell
+
 $vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
 $vdmpathtime = Get-Date -format "yMMddHHmmss"
 $vdmpath = $vdmpathbase + $vdmpathtime + '}'
@@ -91,6 +87,7 @@ New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
 Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
 
 Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList "/x"
+
 ```
 
 You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs receive the new update. We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
@@ -116,7 +113,7 @@ You can also set up your single server or machine to fetch the updates on behalf
    > [!NOTE]
    > An NTFS permission is added for **Authenticated Users:Read:**.
 
-   For this example, the file share is `\\WindowsFileServer.fqdn\mdatp$\wdav-update`.
+   For this example, the file share is `\\FileServer.fqdn\mdatp$\wdav-update`.
    
 ### Set a scheduled task to run the PowerShell script
 
@@ -158,102 +155,171 @@ If you would prefer to do everything manually, here's what to do to replicate th
    > [!NOTE]
    > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 
-## Randomize scheduled scans
+## Microsoft Defender Antivirus configuration settings
 
-Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
+It's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.  It's optimized for VDI environments.
 
-The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization causes Microsoft Defender Antivirus to start a scan on each machine within a four-hour window from the time set for the scheduled scan.
+> [!TIP]
+> The latest Windows group policy administrative templates are available in [Create and manage Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
 
-See [Schedule scans](schedule-antivirus-scans.md) for other configuration options available for scheduled scans.
+### Root
 
-## Use quick scans
+- Configure detection for potentially unwanted applications: `Enabled - Block`
 
-You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they're designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
+- Configure local administrator merge behavior for lists: `Disabled`
 
-1. In your Group Policy Editor, go to **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
+- Control whether or not exclusions are visible to Local Admins: `Enabled`
 
-2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
+- Turn off routine remediation: `Disabled`
 
-3. Set the policy to **Enabled**, and then under **Options**, select  **Quick scan**.
+- Randomize scheduled scans: `Enabled`
 
-4. Select **OK**.
+### Client Interface
 
-5. Deploy your Group Policy object as you usually do.
+- Enable headless UI mode: `Enabled`
 
-## Prevent notifications
+   > [!NOTE]
+   > This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
 
-Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications using Group Policy.
+- Suppress all notifications: `Enabled`
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
+> [!NOTE]
+> Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface.
+> Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com).
 
-2. Select **Suppress all notifications** and then edit the policy settings.
+### MAPS
 
-3. Set the policy to **Enabled**, and then select **OK**.
+- Join Microsoft MAPS (Turn on cloud-delivered protection): `Enabled - Advanced MAPS`
 
-4. Deploy your Group Policy object as you usually do.
+- Send file samples when further analysis is required: `Send all samples (more secure)` or `Send safe sample (less secure)`
 
-Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com).
+### MPEngine
 
-## Disable scans after an update
+- Configure extended cloud check: `20`
 
-Disabling a scan after an update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+- Select cloud protection level: `Enabled - High`
 
-> [!IMPORTANT]
-> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image.
+- Enable file hash computation feature: `Enabled`
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
+> [!NOTE]
+> "Enable file hash computation feature" is only needed if using Indicators – File hash.  It can cause higher amount of CPU utilization, since it has to parse thru each binary on disk to get the file hash.
 
-2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
+### Real-time protection
 
-3. Set the policy to **Disabled**.
+- Configure monitoring for incoming and outgoing file and program activity: `Enabled – bi-directional (full on-access)`
 
-4. Select **OK**.
+- Monitor file and program activity on your computer: `Enabled`
 
-5. Deploy your Group Policy object as you usually do.
+- Scan all downloaded files and attachments: `Enabled`
 
-This policy prevents a scan from running immediately after an update.
+- Turn on behavior monitoring: `Enabled`
 
-## Disable the `ScanOnlyIfIdle` option
+- Turn on process scanning whenever real-time protection is enabled: `Enabled`
 
-Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode.
+- Turn on raw volume write notifications: `Enabled`
 
-```PowerShell
-Set-MpPreference -ScanOnlyIfIdleEnabled $false
-```
+### Scans
+
+- Check for the latest virus and spyware security intelligence before running a scheduled scan: `Enabled`
+
+- Scan archive files: `Enabled`
+
+- Scan network files: `Not configured`
+
+- Scan packed executables: `Enabled`
+
+- Scan removable drives: `Enabled`
+
+- Turn on catch-up full scan (Disable catch-up full scan): `Not configured`
+
+- Turn on catch-up quick scan (Disable catchup quick scan): `Not configured`
+
+   > [!NOTE]
+   > If you want to harden, you could change "Turn on catch-up quick scan" to enabled, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans.  But since it is running a scheduled scan, it will use additional CPU.
+
+- Turn on e-mail scanning: `Enabled`
+
+- Turn on heuristics: `Enabled`
+
+- Turn on reparse point scanning: `Enabled`
+
+#### General scheduled scan settings
+
+- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): `Not configured`
+
+- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): `50`
 
-You can also disable the `ScanOnlyIfIdle` option in Microsoft Defender Antivirus by configuration via local or domain group policy. This setting prevents significant CPU contention in high density environments.
+- Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): `Not configured`
 
-For more information, see [Start the scheduled scan only when computer is on but not in use](https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::scan_scanonlyifidle).
+- Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode.
 
-## Scan VMs that have been offline
+   ```powershell
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
+   Set-MpPreference -ScanOnlyIfIdleEnabled $false
 
-2. Select **Turn on catch-up quick scan** and then edit the policy setting.
+   ```
+
+> [!TIP]
+> The setting, "Start the scheduled scan only when computer is on but not in use" prevents significant CPU contention in high-density environments.
+
+#### Daily quick scan
+
+- Specify the interval to run quick scans per day: `Not configured`
+
+- Specify the time for a daily quick scan (Run daily quick scan at): `12 PM`
+
+#### Run a weekly scheduled scan (quick or full)
+
+- Specify the scan type to use for a scheduled scan (Scan type): `Not configured`
+
+- Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): `Not configured`
+
+- Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): `Not configured`
+
+### Security Intelligence Updates
+
+- Turn on scan after security intelligence update (Disable scans after an update): `Disabled`
 
-3. Set the policy to **Enabled**.
+   > [!NOTE]
+   > Disabling a scan after a security intelligence update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+
+   > [!IMPORTANT]
+   > Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image.
+
+- Specify the interval to check for security intelligence updates (Enter how often to check for security intelligence updates): `Enabled - 8`
+
+- Leave other settings in their default state
+
+### Threats
+
+- Specify threat alert levels at which default action shouldn't be taken when detected: `Enabled`
 
-4. Select **OK**.
+- Set `Severe (5)`, `High (4)`, `Medium (2)`, and `Low (1)` all to `Quarantine (2)`, as shown in the following table:
 
-5. Deploy your Group Policy Object as you usually do.
+   |Value name|Value |
+   | -------- | -------- |
+   |`1` (Low) |`2` |
+   |`2` (Medium) |`2`|
+   |`4` (High) |`2`|
+   |`5` (Severe) |`2`|
 
-This policy forces a scan if the VM missed two or more consecutive scheduled scans.
+### Attack surface reduction rules
 
-## Enable headless UI mode
+Configure all available rules to `Audit`.
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
+### Enable network protection
 
-2. Select **Enable headless UI mode** and edit the policy.
+Prevent users and apps from accessing dangerous websites (Enable network protection): `Enabled - Audit mode`.
 
-3. Set the policy to **Enabled**.
+### SmartScreen for Microsoft Edge
 
-4. Select **OK**.
+- Require SmartScreen for Microsoft Edge: `Yes`
 
-5. Deploy your Group Policy Object as you usually do.
+- Block malicious site access: `Yes`
 
-This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
+- Block unverified file download: `Yes`
 
-## Run the "Windows Defender Cache Maintenance" scheduled task
+## Run the Windows Defender Cache Maintenance scheduled task
 
 Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persistent and/or persistent VDI environments. Run this task on the main image before sealing.
 
@@ -263,10 +329,21 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist
 
 3. Select **Run**, and let the scheduled task finish.
 
-## Exclusions
+   > [!WARNING]
+   > If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs.
+
+### Enable tamper protection
+
+Enable tamper protection to prevent Microsoft Defender Antivirus from being disabled in the [Microsoft Defender portal](https://security.microsoft.com).
+
+### Exclusions
 
 If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
 
+## Next step
+
+If you're also deploying [endpoint detection and response](overview-endpoint-detection-response.md) (EDR) to your Windows-based VDI VMs, see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi).
+
 ## See also
 
 - [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)
diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md
index 061568f765..7b5a2a27d7 100644
--- a/defender-endpoint/indicator-file.md
+++ b/defender-endpoint/indicator-file.md
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 10/17/2024
+ms.date: 12/30/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -47,8 +47,6 @@ There are three ways you can create indicators for files:
 - By creating a contextual indicator using the add indicator button from the file details page
 - By creating an indicator through the [Indicator API](api/ti-indicator.md)
 
-
-
 ## Before you begin
 
 Understand the following prerequisites before you create indicators for files:
@@ -64,6 +62,7 @@ Understand the following prerequisites before you create indicators for files:
 ### Windows prerequisites
 
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
+
 - The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
@@ -77,11 +76,13 @@ Understand the following prerequisites before you create indicators for files:
 
 - [File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled`
 
-### linux prerequisites
+### Linux prerequisites
 
 - Available in Defender for Endpoint version 101.85.27 or later.
 
-- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) from the portal or in the managed JSON 
+- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+
+- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom).
 
 ## Create an indicator for files from the settings page
 
@@ -94,7 +95,9 @@ Understand the following prerequisites before you create indicators for files:
 4. Specify the following details:
 
    - Indicator: Specify the entity details and define the expiration of the indicator.
+
    - Action: Specify the action to be taken and provide a description.
+   
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
    > [!NOTE]
@@ -138,7 +141,7 @@ The current supported actions for file IOC are allow, audit and block, and remed
    > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
    > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
 
-> ## Advanced hunting capabilities (preview)
+## Advanced hunting capabilities (preview)
 
 > [!IMPORTANT]
 > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.