diff --git a/intune/configmgr/tenant-attach/atp-onboard.md b/intune/configmgr/tenant-attach/atp-onboard.md
index b6445c9199..e3f459868e 100644
--- a/intune/configmgr/tenant-attach/atp-onboard.md
+++ b/intune/configmgr/tenant-attach/atp-onboard.md
@@ -1,25 +1,26 @@
 ---
 title: Tenant attach - Onboard Configuration Manager clients to Microsoft Defender for Endpoint from the Microsoft Intune admin center
 description: Deploy Microsoft Defender for Endpoint Detection and Response (EDR) onboarding policies to Configuration Manager managed clients from the admin center.
-ms.date: 03/21/2022
+ms.date: 05/13/2026
 ms.topic: how-to
+ai-usage: ai-assisted
 ms.subservice: core-infra
 ms.collection: tier3
 ---
 
-# <a name="bkmk_atp"></a> Tenant attach: Onboard Configuration Manager clients to Microsoft Defender for Endpoint from the admin center
+# Tenant attach: Onboard Microsoft Configuration Manager clients to Microsoft Defender for Endpoint from the admin center
 <!--5691658-->
 *Applies to: Configuration Manager (current branch)*
 
-The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Microsoft Intune admin center**. You can deploy Microsoft Defender for Endpoint onboarding policies to Configuration Manager managed clients. These clients don't require Microsoft Entra ID or MDM enrollment, and the policy is targeted at ConfigMgr collections rather than Microsoft Entra groups.
+The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called **Intune admin center**. You can deploy Defender for Endpoint onboarding policies to Configuration Manager managed clients. These clients don't require Microsoft Entra ID or MDM enrollment, and the policy is targeted at Configuration Manager collections rather than Microsoft Entra groups.
 
 <!--Adding Include for Prerequisites-->
 
 [!INCLUDE [Prerequisites for Configuration Manager tenant attached devices](./includes/configmgr-endpoint-security-prerequisties.md)]
 - [Microsoft Intune and Microsoft Defender for Endpoint integration enabled](../../device-security/microsoft-defender/configure-integration.md#connect-microsoft-defender-for-endpoint-to-intune)
-- Client which meets the minimum requirements for, and is onboarded to [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).<!--Adding MDE License Requirement & MAX 6198973-->
+- Client which meets the [minimum requirements for Microsoft Defender for Endpoint](/defender-endpoint/minimum-requirements#licensing-requirements) and is onboarded.<!--Adding MDE License Requirement & MAX 6198973-->
 
-## <a name="bkmk_onboard"></a> Create Microsoft Defender for Endpoint policies
+## Create Defender for Endpoint policies
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
@@ -32,13 +33,13 @@ The Microsoft Intune family of products is an integrated solution for managing a
 
 1. Select **Create**.
 
-1. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
+1. On the **Basics** page, enter a name and description for the profile, and then choose **Next**.
 
-1. On the **Configuration settings** page, configure the settings you want to manage with this profile. The onboarding package is automatically included and isn’t something you can configure.
+1. On the **Configuration settings** page, configure the settings you want to manage with this profile. The onboarding package is automatically included and isn't something you can configure.
 
-   When your done configuring settings, select **Next**.
+   When you're done configuring settings, select **Next**.
 
-1. On the **Assignments** page, select the collections that will receive this policy. Select collections from Configuration Manager that you’ve synced to Microsoft Intune admin center and enabled for Microsoft Defender for Endpoint policy.
+1. On the **Assignments** page, select the collections that receive this policy. Select collections from Configuration Manager that you synced to Intune admin center and enabled for Defender for Endpoint policy.
 
    You can choose not to assign collections at this time, and later edit the policy to add an assignment.
 
diff --git a/intune/device-configuration/endpoint-security/antivirus.md b/intune/device-configuration/endpoint-security/antivirus.md
index 0661544f39..e77173b646 100644
--- a/intune/device-configuration/endpoint-security/antivirus.md
+++ b/intune/device-configuration/endpoint-security/antivirus.md
@@ -1,8 +1,9 @@
 ---
 title: Manage antivirus settings with endpoint security policies in Microsoft Intune
 description: Configure and deploy policies and use reports for devices you manage with endpoint security antivirus policy in Microsoft Intune.
-ms.date: 05/19/2025
+ms.date: 05/13/2026
 ms.topic: reference
+ai-usage: ai-assisted
 ms.collection:
 - M365-identity-device-management
 - sub-secure-endpoints
@@ -10,13 +11,13 @@ ms.reviewer: mattcall
 
 ---
 
-# Antivirus policy for endpoint security in Intune
+# Antivirus policy for endpoint security in Microsoft Intune
 
-Intune Endpoint security Antivirus policies can help security admins focus on managing the discrete group of antivirus settings for managed devices.
+Intune Endpoint security Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices.
 
 Antivirus policy includes several profiles. Each profile contains only the settings that are relevant for Microsoft Defender for Endpoint antivirus for macOS and Windows devices, or for the user experience in the Windows Security app on Windows devices.
 
-The antivirus policies are found under **Manage** in the Endpoint security node of the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+Find the antivirus policies under **Manage** in the Endpoint security node of the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 Antivirus policies include the same settings as found *endpoint protection* or *device restriction* templates for [device configuration](../create-device-profile.md) policy. However, those policy types include other categories of settings that are unrelated to Antivirus. The additional settings can complicate the task of configuring Antivirus workload. Also, the settings found in the Antivirus policy for macOS aren't available through the other policy types. The macOS Antivirus profile replaces the need to configure the settings by using `.plist` files.
 
@@ -33,16 +34,16 @@ Applies to:
 
 ## Prerequisites for antivirus policy
 
-**Support for Microsoft Intune (MDM) enrolled devices**:
+**Support for Intune (MDM) enrolled devices**:
 
 - **macOS**
   - Any supported version of macOS
-  - For Intune to manage antivirus settings on a device, Microsoft Defender for Endpoint must be installed on that device. See. [Microsoft Defender for Endpoint for macOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac) (In the Microsoft Defender for Endpoint documentation)
+  - For Intune to manage antivirus settings on a device, Defender for Endpoint must be installed on that device. See [Microsoft Defender for Endpoint for macOS](/defender-endpoint/microsoft-defender-endpoint-mac) (In the Defender for Endpoint documentation).
 
 - **Windows**
   - No additional prerequisites are required.
 
-**Support for Configuration Manager clients**:
+**Support for Microsoft Configuration Manager clients**:
 
 *This scenario is in preview and requires use of Configuration Manager current branch version 2006 or later*.
 
@@ -50,9 +51,9 @@ Applies to:
 
   To set up tenant attach, see [Configure tenant attach to support endpoint protection policies](../../fundamentals/tenant-attach.md).
 
-**Support for Microsoft Defender for Endpoint clients:**
+**Support for Defender for Endpoint clients:**
 
-- **Defender for Endpoint security settings management** - To configure support for deploying antivirus policy to devices that are managed by Defender, but not enrolled with Intune, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](../../device-security/microsoft-defender/security-settings-management.md). This article also includes the information about platforms supported by this capability, and the policies and profiles that those platforms support.
+- **Defender for Endpoint security settings management** - To configure support for deploying antivirus policy to devices that are managed by Defender for Endpoint, but not enrolled with Intune, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](../../device-security/microsoft-defender/security-settings-management.md). This article also includes the information about platforms supported by this capability, and the policies and profiles that those platforms support.
 
 ### Role-based access controls (RBAC)
 
@@ -60,23 +61,28 @@ For guidance on assigning the right level of permissions and rights to manage In
 
 ### Prerequisites for tamper protection
 
-Tamper protection is available for devices that are running one of the following operating systems:
+Intune supports managing tamper protection on devices that run one of the following operating systems:
 
 - macOS (any supported version)
-- Windows (including Enterprise multi-session)
-- Windows Server version 1803 or later, Windows Server 2019, Windows Server 2022
-- Windows Server 2012 R2 and Windows Server 2016 ([using the modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution))
+- Windows 10 and 11 (including Enterprise multi-session)
+- Windows Server 2016 and later
+- Windows Server, version 1803 or later
+- Windows Server 2012 R2 ([using the modern, unified solution](/defender-endpoint/onboard-server#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2))
+
+Defender for Endpoint supports tamper protection on additional platforms beyond those manageable through Intune policy. For the full list, see [Tamper protection prerequisites](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#supported-operating-systems).
 
 > [!NOTE]
 > Devices are required to be onboarded to Microsoft Defender for Endpoint (P1 or P2). Devices might see a delay enabling tamper protection if previously not onboarded to Microsoft Defender for Endpoint. Tamper protection will enable on the first device check-in after onboarding to Microsoft Defender for Endpoint.
 
+For more information about tamper protection behavior, including which settings are protected and troubleshooting options, see [What is tamper protection?](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) in the Defender for Endpoint documentation.
+
 You can use Intune to manage tamper protection on Windows devices as part of Windows Security Experience profile (an Antivirus policy). This includes both devices you manage with Intune, and devices you manage with Configuration Manager through the tenant attach scenario. Tamper protection is also now available for Azure Virtual Desktop.
 
 #### Intune managed devices
 
 Prerequisites to support tamper protection for devices managed by Intune:
 
-- Your environment must meet the [prerequisites for managing  tamper protection with Intune](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
+- Your environment must meet the [requirements for managing tamper protection in Intune](/defender-endpoint/manage-tamper-protection-intune#requirements-for-managing-tamper-protection-in-intune)
 - Devices are onboarded to Microsoft Defender for Endpoint (P1 or P2)
 
 Profiles for *Antivirus* policy that support tamper protection for [devices managed by Microsoft Intune](./deploy-edr.md#supported-platforms-and-profiles):
@@ -97,7 +103,7 @@ You can also use the [Endpoint protection](./configure-endpoint-protection.md) p
 
 Prerequisites to support managing tamper protection with these profiles:
 
-- Your environment must meet the [prerequisites for managing  tamper protection with Intune](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection#turn-tamper-protection-on-or-off-for-your-organization-using-intune) as detailed in the Windows documentation.
+- Your environment must meet the [requirements for managing tamper protection in Intune](/defender-endpoint/manage-tamper-protection-intune#requirements-for-managing-tamper-protection-in-intune) as detailed in the Defender for Endpoint documentation.
 - You must use Configuration Manager current branch 2006 or later.
 - You must configure tenant attach to support endpoint protection policies. This includes configuring Configuration Manager device collections for synchronization with Intune.
 - Devices are onboarded to Microsoft Defender for Endpoint (P1 or P2)
@@ -135,7 +141,7 @@ The following profiles are supported for devices you manage with Intune:
 
   - Profile: **Antivirus** - Manage [Antivirus policy settings](./ref-antivirus-defender-settings-macos.md) for macOS.
 
-    When you use [Microsoft Defender for Endpoint for Mac](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac), you can configure and deploy Antivirus settings to your managed macOS devices through Intune instead of configuring those settings by use of `.plist` files.
+    When you use [Microsoft Defender for Endpoint for Mac](/defender-endpoint/microsoft-defender-endpoint-mac), you can configure and deploy Antivirus settings to your managed macOS devices through Intune instead of configuring those settings by use of `.plist` files.
 
 #### Windows
 
diff --git a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
index 1b4a08e7b3..1b5cf1078d 100644
--- a/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
+++ b/intune/device-configuration/endpoint-security/ref-endpoint-protection-settings-windows.md
@@ -1,8 +1,9 @@
 ---
 title: Settings you can manage with Intune Endpoint Protection profiles for Windows devices
 description: View the available settings in Intune endpoint protection profiles for managed Windows devices.
-ms.date: 11/14/2023
+ms.date: 05/13/2026
 ms.topic: reference
+ai-usage: ai-assisted
 ms.reviewer: mattcall
 ms.collection:
 - M365-identity-device-management
@@ -763,7 +764,7 @@ These settings apply specifically to removable data drives.
 
 ## Microsoft Defender Exploit Guard
 
-Use [exploit protection](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) to manage and reduce the attack surface of apps used by your employees.
+Use [exploit protection](/defender-endpoint/exploit-protection) to manage and reduce the attack surface of apps used by your employees.
 
 ### Attack Surface Reduction
 
@@ -771,7 +772,7 @@ Attack surface reduction rules help prevent behaviors malware often uses to infe
 
 #### Attack Surface Reduction rules
 
-To learn more, see [Attack surface reduction rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) in the Microsoft Defender for Endpoint documentation.
+To learn more, see [Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-reference) in the Microsoft Defender for Endpoint documentation.
 
 **Merge behavior for Attack surface reduction rules in Intune**:
 
@@ -791,7 +792,7 @@ Attack surface reduction rule merge behavior is as follows:
 
 - **Flag credential stealing from the Windows local security authority subsystem**  
   **Default**: Not configured  
-  Rule: [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
+  Rule: [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
 
   Help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
 
@@ -801,7 +802,7 @@ Attack surface reduction rule merge behavior is as follows:
 
 - **Process creation from Adobe Reader (beta)**  
   **Default**: Not configured  
-  Rule: [Block Adobe Reader from creating child processes](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes)
+  Rule: [Block Adobe Reader from creating child processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-adobe-reader-from-creating-child-processes)
 
   - **Not configured**
   - **Enable** - Block child processes that are created from Adobe Reader.
@@ -813,7 +814,7 @@ Block Office apps from taking the following actions:
 
 - **Office apps injecting into other processes (no exceptions)**  
   **Default**: Not configured  
-  Rule: [Block Office applications from injecting code into other processes](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes)
+  Rule: [Block Office applications from injecting code into other processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-injecting-code-into-other-processes)
 
   - **Not configured**
   - **Block** - Block Office apps from injecting into other processes.
@@ -821,7 +822,7 @@ Block Office apps from taking the following actions:
 
 - **Office apps/macros creating executable content**  
   **Default**: Not configured  
-  Rule: [Block Office applications from creating executable content](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content)
+  Rule: [Block Office applications from creating executable content](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-creating-executable-content)
 
   - **Not configured**
   - **Block** - Block Office apps and macros from creating executable content.
@@ -829,7 +830,7 @@ Block Office apps from taking the following actions:
 
 - **Office apps launching child processes**  
   **Default**: Not configured  
-  Rule: [Block all Office applications from creating child processes](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes)
+  Rule: [Block all Office applications from creating child processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-all-office-applications-from-creating-child-processes)
 
   - **Not configured**
   - **Block** - Block Office apps from launching child processes.
@@ -837,7 +838,7 @@ Block Office apps from taking the following actions:
 
 - **Win32 imports from Office macro code**  
   **Default**: Not configured  
-  Rule: [Block Win32 API calls from Office macros](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros)
+  Rule: [Block Win32 API calls from Office macros](/defender-endpoint/attack-surface-reduction-rules-reference#block-win32-api-calls-from-office-macros)
 
   - **Not configured**
   - **Block** - Block Win32 imports from macro code in Office.
@@ -845,7 +846,7 @@ Block Office apps from taking the following actions:
 
 - **Process creation from Office communication products**  
   **Default**: Not configured  
-  Rule: [Block Office communication application from creating child processes](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes)
+  Rule: [Block Office communication application from creating child processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-communication-application-from-creating-child-processes)
 
   - **Not configured**
   - **Enable** - Block child process creation from Office communications apps.
@@ -857,7 +858,7 @@ Block the following to help prevent against script threats:
 
 - **Obfuscated js/vbs/ps/macro code**  
   **Default**: Not configured  
-  Rule: [Block execution of potentially obfuscated scripts](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts)
+  Rule: [Block execution of potentially obfuscated scripts](/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts)
 
   - **Not configured**
   - **Block** - Block any obfuscated js/vbs/ps/macro code.
@@ -865,7 +866,7 @@ Block the following to help prevent against script threats:
 
 - **js/vbs executing payload downloaded from Internet (no exceptions)**  
   **Default**: Not configured  
-  Rule: [Block JavaScript or VBScript from launching downloaded executable content](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+  Rule: [Block JavaScript or VBScript from launching downloaded executable content](/defender-endpoint/attack-surface-reduction-rules-reference#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
 
   - **Not configured**
   - **Block** - Block js/vbs from executing payload downloaded from Internet.
@@ -873,7 +874,7 @@ Block the following to help prevent against script threats:
 
 - **Process creation from PSExec and WMI commands**  
   **Default**: Not configured  
-  Rule: [Block process creations originating from PSExec and WMI commands](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)
+  Rule: [Block process creations originating from PSExec and WMI commands](/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands)
 
   - **Not configured**
   - **Block** - Block process creations originating from PSExec and WMI commands.
@@ -881,7 +882,7 @@ Block the following to help prevent against script threats:
 
 - **Untrusted and unsigned processes that run from USB**  
   **Default**: Not configured  
-  Rule: [Block untrusted and unsigned processes that run from USB](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb)
+  Rule: [Block untrusted and unsigned processes that run from USB](/defender-endpoint/attack-surface-reduction-rules-reference#block-untrusted-and-unsigned-processes-that-run-from-usb)
 
   - **Not configured**
   - **Block** - Block untrusted and unsigned processes that run from USB.
@@ -889,7 +890,7 @@ Block the following to help prevent against script threats:
 
 - **Executables that don't meet a prevalence, age, or trusted list criteria**  
   **Default**: Not configured  
-  Rule: [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
+  Rule: [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
 
   - **Not configured**
   - **Block** - Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
@@ -901,7 +902,7 @@ Block the following to help prevent email threats:
 
 - **Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)**  
   **Default**: Not configured  
-  Rule: [Block executable content from email client and webmail](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail)
+  Rule: [Block executable content from email client and webmail](/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail)
 
   - **Not configured**
   - **Block** - Block execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail-client).
@@ -911,7 +912,7 @@ Block the following to help prevent email threats:
 
 - **Advanced ransomware protection**  
   Default:  Not configured  
-  Rule: [Use advanced protection against ransomware](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware)
+  Rule: [Use advanced protection against ransomware](/defender-endpoint/attack-surface-reduction-rules-reference#use-advanced-protection-against-ransomware)
 
   - **Not configured**
   - **Enable** - Use aggressive ransomware protection.
@@ -939,7 +940,7 @@ Block the following to help prevent email threats:
 
 ### Controlled folder access
 
-Help [protect valuable data](/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) from malicious apps and threats, such as ransomware.
+Help [protect valuable data](/defender-endpoint/controlled-folders) from malicious apps and threats, such as ransomware.
 
 - **Folder protection**  
   **Default**: Not configured  
@@ -985,7 +986,7 @@ Block outbound connections from any app to IP addresses or domains with low repu
 - **Upload XML**  
   **Default**: *Not configured*
 
-  To use *Exploit protection* to [protect devices from exploits](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), create an XML file that includes the system and application mitigation settings you want. There are two methods to create the XML file:
+  To use *Exploit protection* to [protect devices from exploits](/defender-endpoint/microsoft-defender-endpoint), create an XML file that includes the system and application mitigation settings you want. There are two methods to create the XML file:
 
   - *PowerShell* - Use one or more of the *Get-ProcessMitigation*, *Set-ProcessMitigation*, and *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlets. The cmdlets configure mitigation settings, and export an XML representation of them.
 
@@ -1046,7 +1047,7 @@ Microsoft Defender Credential Guard protects against credential theft attacks. I
 
 ## Microsoft Defender Security Center
 
-Microsoft Defender Security Center operates as a separate app or process from each of the individual features. It displays notifications through the Action Center. It acts as a collector or single place to see the status and run some configuration for each of the features. Find out more in the [Microsoft Defender](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) docs.
+Microsoft Defender Security Center operates as a separate app or process from each of the individual features. It displays notifications through the Action Center. It acts as a collector or single place to see the status and run some configuration for each of the features. Find out more in the [Microsoft Defender](/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center) docs.
 
 ### Microsoft Defender Security Center app and notifications
 
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md b/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md
index 8ff4c201d5..89f119f3cc 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md
@@ -1,7 +1,7 @@
 ---
 title: Add Platform SSO policy to ADE Profile on macOS devices
 description: Add a settings catalog platform single sign-on (PSSO) policy to an Automated Device Enrollment (ADE) profile and configure it to run during Setup Assistant with modern authentication on macOS devices.
-ms.date: 05/11/2026
+ms.date: 05/13/2026
 ms.topic: how-to
 appliesto:
 - ✅ macOS
@@ -115,7 +115,7 @@ The Company Portal for macOS deploys and installs the Microsoft Enterprise SSO p
     > [!IMPORTANT]
     > Company Portal 5.2604.0 and newer is required.
 
-2. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), add the Company Portal as a line-of-business (LOB) app (**Apps > All Apps > Create**):
+2. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), add the Company Portal as a line-of-business (LOB) app (**Apps > All Apps > Create**). In the **App bundle ID** list, only add the `com.microsoft.CompanyPortalMac` app bundle ID. Remove any app bundle IDs that aren't related to the Company Portal.
 
     - [Add macOS Line-of-Business (LOB) Apps to Microsoft Intune](../../app-management/deployment/add-lob-macos.md)
 
diff --git a/intune/device-security/security-baselines/ref-defender-settings.md b/intune/device-security/security-baselines/ref-defender-settings.md
index 0386f8bb98..64395f5b96 100644
--- a/intune/device-security/security-baselines/ref-defender-settings.md
+++ b/intune/device-security/security-baselines/ref-defender-settings.md
@@ -1,8 +1,9 @@
 ---
 title: Settings list for the Microsoft Intune security baseline for Microsoft Defender for Endpoint
 description: View the settings in the Microsoft Intune security baseline for Microsoft Defender for Endpoint and each settings default value.
-ms.date: 09/10/2024
+ms.date: 05/13/2026
 ms.topic: reference
+ai-usage: ai-assisted
 ms.reviewer: aanavath
 ms.collection:
 - M365-identity-device-management
@@ -61,7 +62,7 @@ To learn more about using security baselines, see:
 
 The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using [Microsoft Defender for Endpoint](../microsoft-defender/overview.md#prerequisites).
 
-This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see [Increase compliance to the Microsoft Defender for Endpoint security baseline](/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) in the Windows documentation.
+This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see [Increase compliance to the Microsoft Defender for Endpoint security baseline](/defender-endpoint/configure-machines-security-baseline) in the Windows documentation.
 
 ::: zone pivot="mde-v24h1"
 
@@ -312,79 +313,79 @@ This baseline is optimized for physical devices and isn't recommended for use on
 
   - **Block execution of potentially obfuscated scripts**\
   Baseline default: *Block*\
-  [Learn more](/defender-endpoint/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-execution-of-potentially-obfuscated-scripts)
 
   - **Block Win32 API calls from Office macros**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-win32-api-calls-from-office-macros)
 
   - **Block executable files from running unless they meet a prevalence, age, or trusted list criterion**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
 
   - **Block Office communication application from creating child processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-office-communication-application-from-creating-child-processes)
 
   - **Block all Office applications from creating child processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-all-office-applications-from-creating-child-processes)
 
   - **Block Adobe Reader from creating child processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-adobe-reader-from-creating-child-processes)
 
   - **Block credential stealing from the Windows local security authority subsystem**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
 
   - **Block JavaScript or VBScript from launching downloaded executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
 
   - **Block Webshell creation for Servers**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-webshell-creation-for-servers)
 
   - **Block untrusted and unsigned processes that run from USB**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-untrusted-and-unsigned-processes-that-run-from-usb)
 
   - **Block persistence through WMI event subscription**\
   Baseline default: *Audit*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-persistence-through-wmi-event-subscription)
 
   - **[PREVIEW] Block use of copied or impersonated system tools**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-use-of-copied-or-impersonated-system-tools)
 
   - **Block abuse of exploited vulnerable signed drivers (Device)**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-abuse-of-exploited-vulnerable-signed-drivers)
 
   - **Block process creations originating from PSExec and WMI commands**\
   Baseline default: *Audit*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-process-creations-originating-from-psexec-and-wmi-commands)
 
   - **Block Office applications from creating executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-office-applications-from-creating-executable-content)
 
   - **Block Office applications from injecting code into other processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-office-applications-from-injecting-code-into-other-processes)
 
   - **[PREVIEW] Block rebooting machine in Safe Mode**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-rebooting-machine-in-safe-mode)
 
   - **Use advanced protection against ransomware**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#use-advanced-protection-against-ransomware)
 
   - **Block executable content from email client and webmail**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+  [Learn more](/defender-endpoint/attack-surface-reduction-rules-reference?WT.mc_id=Portal-fx#block-executable-content-from-email-client-and-webmail)
 
 - **Check For Signatures Before Running Scan**\
   Baseline default: *Enabled*\
@@ -650,7 +651,7 @@ Attack surface reduction rule merge behavior is as follows:
 - When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
 - Only the configurations for conflicting settings are held back.
 
-To learn more, see [Attack surface reduction rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) in the Microsoft Defender for Endpoint documentation.
+To learn more, see [Attack surface reduction rules](/defender-endpoint/attack-surface-reduction) in the Microsoft Defender for Endpoint documentation.
 
 - **Block Office communication apps from creating child processes**\
   Baseline default: *Enable*\
@@ -1388,15 +1389,15 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your
 
 - **Block Office applications from injecting code into other processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block Office applications from creating executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block JavaScript or VBScript from launching downloaded executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Enable network protection**\
   Baseline default: *Audit mode*\
@@ -1404,27 +1405,27 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your
 
 - **Block untrusted and unsigned processes that run from USB**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block credential stealing from the Windows local security authority subsystem (lsass.exe)**\
   Baseline default: *Enable*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block executable content download from email and webmail clients**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block all Office applications from creating child processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block execution of potentially obfuscated scripts (js/vbs/ps)**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block Win32 API calls from Office macro**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 ::: zone-end
 ::: zone pivot="atp-march-2020"
@@ -1538,15 +1539,15 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your
 
 - **Block Office applications from injecting code into other processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block Office applications from creating executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block JavaScript or VBScript from launching downloaded executable content**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Enable network protection**\
   Baseline default: *Audit mode*\
@@ -1554,27 +1555,27 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your
 
 - **Block untrusted and unsigned processes that run from USB**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block credential stealing from the Windows local security authority subsystem (lsass.exe)**\
   Baseline default: *Enable*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block executable content download from email and webmail clients**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block all Office applications from creating child processes**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block execution of potentially obfuscated scripts (js/vbs/ps)**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 - **Block Win32 API calls from Office macro**\
   Baseline default: *Block*\
-  [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+  [Learn more](/defender-endpoint/attack-surface-reduction)
 
 ::: zone-end
 ::: zone pivot="atp-march-2020,atp-april-2020"