Merge branch 'main' into Prefs-chrisda

Author: chrisda

defender-endpoint/controlled-folders.md

@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from changes through malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 03/04/2025
+ms.date: 04/15/2025
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -38,6 +38,7 @@ search.appverid: met150
 ## What is controlled folder access?
 
 Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on:
+
 - Windows 11
 - Windows 10
 - Windows Server 2025
@@ -92,8 +93,10 @@ Default folders appear in the user's profile, under **This PC**, as shown in the
 
 ![Protected Windows default systems folders](media/defaultfolders.png)
 
+The same profile folders are also protected for system accounts, such as `LocalService`, `NetworkService`, `systemprofile`, and so on. For example, `C:\Windows\System32\config\systemprofile\Documents` is also protected (if it exists).
+
 > [!NOTE]
-> You can configure more folders as protected, but you can't remove the Windows system folders that are protected by default.
+> You can configure more folders as protected, but you can't remove Windows system folders that are protected by default.
 
 ## Requirements for controlled folder access
 
@@ -150,7 +153,7 @@ You can use the Windows Security app to view the list of folders that are protec
 
 4. If controlled folder access is turned off, you need to turn it on. Select **protected folders**.
 
-5. Do one of the following steps:
+5. Take one of the following steps:
 
    - To add a folder, select **+ Add a protected folder**.
    - To remove a folder, select it, and then select **Remove**.

defender-endpoint/linux-install-manually.md

@@ -151,13 +151,13 @@ In order to preview new features and provide early feedback, it's recommended th
 1. Install `curl` if it isn't installed yet:
 
    ```bash
-   sudo apt-get install curl
+   sudo apt install curl
    ```
 
 2. Install `libplist-utils` if it isn't installed yet:
 
    ```bash
-   sudo apt-get install libplist-utils
+   sudo apt install libplist-utils
    ```
 
    > [!NOTE]
@@ -193,13 +193,13 @@ In order to preview new features and provide early feedback, it's recommended th
 5. Install the `gpg` package if not already installed:
 
    ```bash
-   sudo apt-get install gpg
+   sudo apt install gpg
    ```
 
    If `gpg` isn't available, then install `gnupg`.
 
    ```bash
-   sudo apt-get install gnupg
+   sudo apt install gnupg
    ```
 
 6. Install the Microsoft GPG public key:
@@ -219,13 +219,13 @@ In order to preview new features and provide early feedback, it's recommended th
 7. Install the HTTPS driver if not already installed:
 
    ```bash
-   sudo apt-get install apt-transport-https
+   sudo apt install apt-transport-https
    ```
 
 8. Update the repository metadata:
 
    ```bash
-   sudo apt-get update
+   sudo apt update
    ```
 
 ### Mariner
@@ -313,7 +313,7 @@ sudo zypper install packages-microsoft-com-prod:mdatp
 ### Ubuntu and Debian systems
 
 ```bash
-sudo apt-get install mdatp
+sudo apt install mdatp
 ```
 
 > [!NOTE]
@@ -551,7 +551,7 @@ For manual uninstallation, execute the following command for your Linux distribu
 
 - `sudo yum remove mdatp` for RHEL and variants(CentOS and Oracle Linux).
 - `sudo zypper remove mdatp` for SLES and variants.
-- `sudo apt-get purge mdatp` for Ubuntu and Debian systems.
+- `sudo apt purge mdatp` for Ubuntu and Debian systems.
 - `sudo dnf remove mdatp` for Mariner
 
 ## See also

defender-endpoint/linux-install-with-ansible.md

@@ -216,7 +216,7 @@ ansible-playbook -i  /etc/ansible/hosts /etc/ansible/playbooks/install_mdatp.yml
 
     - name: MDE Deployed
       debug:
-      msg: "MDE succesfully deployed"
+        msg: "MDE succesfully deployed"
 ```
 
 ### How to uninstall Microsoft Defender for Endpoint on Linux Servers

defender-office-365/TOC.yml

@@ -519,6 +519,8 @@
         items:
         - name: Getting started with defense in-depth configuration for email security
           href: step-by-step-guides/defense-in-depth-guide.md
+        - name: Tune Microsoft Defender for Office 365
+          href: step-by-step-guides/tune-microsoft-defender-for-office-365.md
         - name: How to configure quarantine permissions and policies
           href: step-by-step-guides/how-to-configure-quarantine-permissions-with-quarantine-policies.md
         - name: Set up steps for the Standard or Strict preset security policies in Microsoft Defender for Office 365

defender-office-365/step-by-step-guides/tune-microsoft-defender-for-office-365.md

@@ -0,0 +1,57 @@
+---
+title: Tune Microsoft Defender for Office 365
+description: Tune settings and protection in Microsoft Defender for Office 365.
+ms.service: defender-office-365
+f1.keywords:
+  - NOCSH
+ms.author: chrisda
+author: MSFTBen
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection:
+- m365-guidance-templates
+- m365-security
+- tier3
+ms.topic: how-to
+search.appverid: met150
+ms.date: 04/14/2025
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
+---
+
+# Microsoft Defender for Office 365 tuning
+
+When a relevant license is enabled, Microsoft Defender for Office 365 protects collaboration across Exchange Online, Teams, SharePoint, OneDrive, and Microsoft 365 applications by default. However, you can do some "tuning" for maximum benefit.
+
+The term "tuning" is used often and can mean different things. For example:
+
+- [Configuring security controls](#configuring-security-controls) or [configuring connectors for complex routing and dual filtering scenarios](#complex-routing-and-dual-filtering-scenarios) as part of initial setup.
+- Setting [security control thresholds](#security-control-thresholds) (for example, the bulk email slider and the advanced filtering slider) to determine how aggressively email is blocked.
+- Adding and managing [customer configured allows and blocks](#customer-configured-allows-and-blocks). Allows are a powerful tool for managing email deliverability but can let malicious or unwanted email be delivered if not correctly managed. Blocks ensure unwanted email isn't delivered but can lead to user productivity loss.
+- [Submissions and system learning](#submissions-and-system-learning), or how the filtering stack self corrects based on the submission of false positive and false negative email.
+
+## Configuring security controls
+
+The easiest and safest way to configure security controls is by onboarding to [preset security policies](../preset-security-policies.md). By using the Standard or Strict preset security policies, you always have Microsoft's recommended, best practice configuration for users. For instructions, see [Steps to set up the Standard or Strict preset security policies for Microsoft Defender for Office 365](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md).
+
+Are you worried about attacks targeting your CEO, CIO, or CFO? You can [Protect your c-suite with Priority account protection in Microsoft Defender for Office 365 Plan 2](protect-your-c-suite-with-priority-account-protection.md).
+
+If you use custom security policies, configuration analyzer gives recommendations to make sure you follow Microsoft's best practices. You can [Optimize and correct security policies with configuration analyzer](optimize-and-correct-security-policies-with-configuration-analyzer.md).
+
+## Complex routing and dual filtering scenarios
+
+Using a non-Microsoft email filtering solution with Defender for Office 365 requires some extra configuration to ensure you're getting the best from both filtering solutions. For more information, see [Getting started with defense in-depth configuration for email security](defense-in-depth-guide.md). You need to be careful when using connectors to route mail to ensure that Defender for Office 365 has access to the original email sender information. To meet this requirement, configure [Enhanced filtering for connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+
+## Security control thresholds
+
+The bulk email slider and the advanced phishing slider allow you to determine how aggressively each of those filters is applied. To optimize the threshold where bulk mail is treated as spam, you can [Assess and tune your filtering for bulk mail in Defender for Office 365](tune-bulk-mail-filtering-walkthrough.md). [Microsoft recommendations for EOP and Defender for Office 365 security settings](../recommended-settings-for-eop-and-office365.md) contains best practices for choosing the right [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](../anti-phishing-policies-about.md) for your organization.
+
+## Customer configured allows and blocks
+
+Overrides are a powerful tool that can be used to deliver or block email regardless of how Defender for Office 365 evaluates the message. [Understanding overrides within the email entity page in Microsoft Defender for Office 365](understand-overrides-in-email-entity.md) provides a guide for using the email entity page to understand why a message was allowed or blocked across all the different types of available overrides.
+
+### Submissions and system Learning
+
+The single most important thing you can do to improve the accuracy of email filtering for users is to [Report spam, non-spam, phishing, suspicious email and files to Microsoft](../submissions-report-messages-files-to-microsoft.md). This information informs the Microsoft Security Analyst team what changes need to be made across the entire filtering stack to ensure users have the best possible experience. Here are some best practices for [How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365](how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md) and [How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365](how-to-handle-false-positives-in-microsoft-defender-for-office-365.md).