Edits for GA of MDE sec config

Author: Brenduns

memdocs/intune/fundamentals/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 04/29/2022
+ms.date: 05/04/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -60,6 +60,16 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Scripts
 -->
 
+## Week of May 2, 2022
+
+### Device security
+
+#### Security Management with Defender for Endpoint is generally available<!-- 13816763 -->
+
+The Microsoft Endpoint Manager and Microsoft Defender for Endpoint (MDE) team are excited to announce the general availability of Security Management for MDE devices. As part of this general availability, support for *Antivirus*, *Endpoint Detection and Response*, as well as *Firewall* and *Firewall rules* are now generally available. This general availability applies to Windows Server 2012 R2 and Later, as well as Windows 10 and Windows 11 clients. In the future we will be adding support for additional platforms and profiles in a preview capacity.
+
+For more information, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager](../protect/mde-security-integration.md).
+
 ## Week of April 25, 2022 (Service release 2204)
 
 ### App management

memdocs/intune/protect/includes/security-config-mgt-prerequisites.md

@@ -4,43 +4,57 @@ description: include file
 author: brenduns
 ms.service: microsoft-intune
 ms.author: brenduns
-ms.date: 04/20/2022
+ms.date: 05/04/2022
 ms.topic: include
 ---
 ## Prerequisites
-Review the following sections for requirements for the Security Management for Microsoft Defender for Endpoint Scenario:
+
+Review the following sections for requirements for the Security Management for Microsoft Defender for Endpoint Scenario.
+
 ### Environment
+
 When a device onboards to Microsoft Defender for Endpoint:
+
 - The device is surveyed for an existing Endpoint Manager presence, which is a mobile device management (MDM) enrollment to Intune
 - Devices without an Endpoint Manager presence enable the Security Management feature
 - A trust is created with Azure Active Directory if one doesn't already exist
 - Azure Active Directory trust is used to communicate with Endpoint Manager (Intune) and retrieve policies
 - Policy retrieve from Endpoint Manager is enforced on the device by Microsoft Defender for Endpoint
+
 ### Active Directory requirements
+
 When a device that is domain joined creates a trust with Azure Active Directory, this scenario is referred to as a *Hybrid Azure Active Directory Join* scenario. The Security Management for Microsoft Defender for Endpoint fully supports this scenario with the following requirements:
+
 - Azure Active Directory Connect (AAD Connect) must be synchronized to the tenant that is used from Microsoft Defender for Endpoint
 - Hybrid Azure Active Directory Join must be configured in your environment (either through Federation or AAD Connect Sync)
 - AAD Connect Sync must include the device objects *in scope* for synchronization with Azure Active Directory (when needed for join)
 - AAD Connect rules for sync must be modified for Server 2012 R2 (when support for Server 2012 R2 is needed)
-- All devices must register in the Azure Active Directory of the tenant that hosts Microsoft Defender for Endpoint. Cross-tenant scenarios are not supported.
+- All devices must register in the Azure Active Directory of the tenant that hosts Microsoft Defender for Endpoint. Cross-tenant scenarios are not supported
+
 ### Connectivity requirements
+
 Devices must have access to the following endpoints:
+
 - `enterpriseregistration.windows.net` - For Azure AD registration.
 - `login.microsoftonline.com` - For Azure AD registration.
 - `*.dm.microsoft.com` - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
+
 > [!Note]
 > If your organization users Secure Socket Layer (SSL) inspection, the endpoints should be excluded from inspection.
 
 ### Supported platforms
 
 Policies for Microsoft Defender for Endpoint security management are supported for the following device platforms:
+
+- Windows 11 Professional/Enterprise
 - Windows 10 Professional/Enterprise (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541))
 - Windows Server 2012 R2 with [Microsoft Defender for Down-Level Devices](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview)
 - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview)
 - Windows Server 2019 (with [KB5006744](https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0))
 - Windows Server 2022 (with [KB5006745](https://support.microsoft.com/topic/october-26-2021-kb5006745-os-build-20348-320-preview-8ff9319a-19e7-40c7-bbd1-cd70fcca066c))
 
 ### Licensing and subscriptions
+
 To use security management for Microsoft Defender for Endpoint, you need:
 
 - A subscription that grants licenses for Microsoft Defender for Endpoint, like Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. A subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center.
@@ -53,12 +67,15 @@ To use security management for Microsoft Defender for Endpoint, you need:
   For current information about options, see [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide&preserve-view=true).
 
 ## Architecture
+
 The following diagram is a conceptual representation of the Microsoft Defender for Endpoint security configuration management solution.
 :::image type="content" alt-text="Conceptual representation of the Microsoft Defender for Endpoint security configuration management solution" source="../media/mde-security-integration/mde-architecture.png":::
+
 1. Devices onboard to Microsoft Defender for Endpoint.
 2. A trust is established between each device and Azure AD. When a device has an existing trust, that is used. When devices haven't registered, a new trust is created.
 3. Devices use their Azure AD Identity to communicate with Endpoint Manager. This identity enables Microsoft Endpoint Manager to distribute policies that are targeted to the devices when they check in.
 4. Defender for Endpoint reports the status of the policy back to Endpoint Manager.
+
 ## Which solution should I use?
 
 Microsoft Endpoint Manager includes several methods and policy types to manage the configuration of Defender for Endpoint on devices.
@@ -94,6 +111,7 @@ The following table can help you understand which policies that can configure MD
 ## Configure your tenant to support Microsoft Defender for Endpoint Security Configuration Management
 
 To support Microsoft Defender for Endpoint security configuration management through the Microsoft Endpoint Manager admin center, you must enable communication between them from within each console.
+
 1. Sign in to [Microsoft 365 Defender portal](https://security.microsoft.com/) and go to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope** and enable the platforms for security settings management:
    :::image type="content" source="../media/mde-security-integration/enable-mde-settings-management-defender.png" alt-text="Enable Microsoft Defender for Endpoint settings management in the Microsoft 365 Defender portal.":::
 1. Configure Pilot Mode and Configuration Manager authority settings to fit your organization needs:
@@ -112,7 +130,7 @@ To support Microsoft Defender for Endpoint security configuration management thr
 1. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and set **Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations** to **On**.
 
    :::image type="content" source="../media/mde-security-integration/enable-mde-settings-management-mem.png" alt-text="Enable Microsoft Defender for Endpoint settings management in the Microsoft Endpoint Manager admin center.":::
-   
+
    When you set this option to *On*, all devices in the platform scope in Microsoft Defender for Endpoint that aren't managed by Microsoft Endpoint Manager will qualify to onboard to Microsoft Defender for Endpoint.
 
 > [!TIP]
@@ -130,6 +148,7 @@ When using Configuration Manager, the best path for management of security polic
 
 After devices onboard to Defender for Endpoint, you'll need to create device groups to support deployment of policy for Microsoft Defender for Endpoint.
 To identify devices that have enrolled with Microsoft Defender for Endpoint but aren't managed by Intune or Configuration Manager:
+
 1. Sign in to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Go to **Devices** > **All devices**, and then select the column **Managed by** to sort the view of devices.
    Devices that onboard to Microsoft Defender for Endpoint and have registered but aren't managed by Intune display **Microsoft Defender for Endpoint** in the *Managed by* column. These are the devices that can receive policy for security management for Microsoft Defender for Endpoint.
@@ -142,14 +161,17 @@ You can create groups for these devices [in Azure AD](/azure/active-directory/fu
 ## Deploy policy
 
 After creating one or more Azure AD groups that contain devices managed by Microsoft Defender for Endpoint, you can create and deploy the following policies for Security Management for Microsoft Defender for Endpoint to those groups:
+
 - Antivirus
 - Firewall
 - Firewall Rules
 - Endpoint Detection and Response
+
 > [!TIP]
 > Avoid deploying multiple policies that manage the same setting to a device.
 >
 > Microsoft Endpoint Manager supports deploying multiple instances of each endpoint security policy type to the same device, with each policy instance being received by the device separately. Therefore, a device might receive separate configurations for the same setting from different policies, which results in a conflict. Some settings (like Antivirus Exclusions) will merge on the client and apply successfully.
+
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Go to **Endpoint security** and then select the type of policy you want to configure, either Antivirus or Firewall, and then select **Create Policy**.
 3. Enter the following properties or the policy type you selected:

memdocs/intune/protect/mde-security-integration.md

@@ -28,7 +28,7 @@ ms.reviewer: mattcall
 
 ---
 
-# Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager (Preview)
+# Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager
 
 With Microsoft Defender for Endpoint (MDE), you can now deploy security configurations from Microsoft Endpoint Manager directly to your onboarded devices without requiring a full Microsoft Endpoint Manager device enrollment. This capability is known as *Security Management for Microsoft Defender for Endpoint*. With this capability, devices that aren’t managed by a Microsoft Endpoint Manager service can receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager.
 
@@ -48,7 +48,11 @@ This scenario extends the Microsoft Endpoint Manager Endpoint Security surface t
 
 Status and reports for policies targeted at devices in this channel are available from the policy node under Endpoint security in the Microsoft Endpoint Manager admin center.
 
-Drill in to the policy type, Antivirus or Firewall, and then select the policy to view its status. Policies for MDE have a *Policy type* of either *Microsoft Defender Antivirus (Preview)* or *Microsoft Defender Firewall (Preview)*.
+Drill in to the policy type and then select the policy to view its status. The following policy types support MDE security configuration:
+
+- Antivirus > *Microsoft Defender Antivirus*
+- Firewall > *Microsoft Defender Firewall* or *Microsoft Defender Firewall Rules*
+- Endpoint detection and response > *Endpoint detection and response*
 
 When you select a policy, you'll see information about the device check-in status, and can select:
 

memdocs/intune/protect/media/mde-security-integration/enable-mde-settings-management-mem.png

@@ -113,7 +113,7 @@ items:
         href: advanced-threat-protection-manage-android.md
       - name: Monitor Defender for Endpoint
         href: advanced-threat-protection-monitor.md
-      - name: MDE Security Configuration Management (Preview)
+      - name: MDE Security Configuration Management
         href: mde-security-integration.md
     - name: Firewall rule migration
       href: endpoint-security-firewall-rule-tool.md