Merge branch 'main' into WI423594-add-video-to-saas-initiative-article

Author: DeCohen

.github/workflows/StaleBranch.yml

@@ -2,6 +2,7 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
+  pull-requests: read
 
 # This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
 # On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.

CloudAppSecurityDocs/azip-integration.md

@@ -144,7 +144,7 @@ Follow these instructions to create the file policy:
 
 1. You can get more information about these files and their sensitivity labels in the file drawer. Just select the relevant file in the **Files** page and check whether it has a sensitivity label.
 
-    ![File drawer.](media/file-drawer.png)
+    :::image type="content" source="media/file-policies/file-drawer.png" alt-text="Screenshot showing the file drawer." lightbox="media/file-policies/file-drawer.png":::
 
 1. Then, you can create file policies in Defender for Cloud Apps to control files that are shared inappropriately and find files that are labeled and were recently modified.
 

CloudAppSecurityDocs/data-protection-policies.md

@@ -252,14 +252,14 @@
                 href: manage-sys-extensions-using-jamf.md
               - name: Manual deployment
                 href: manage-sys-extensions-manual-deployment.md
-            
+           
         - name: Defender for Endpoint on Linux
           items:
           - name: Deploy Defender for Endpoint on Linux
             items:
-            - name: 1 - Prerequisites
+            - name: Prerequisites
               href: mde-linux-prerequisites.md
-            - name: 2 - Choose a deployment method
+            - name: Choose a deployment method
               items:
               - name: Installer script based deployment
                 href: linux-installer-script.md
@@ -277,28 +277,28 @@
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
               - name: Deployment guidance for Defender for Endpoint on Linux for SAP
                 href: mde-linux-deployment-on-sap.md
-            - name: 3 - Configuration
+          - name: Configure Defender for Endpoint on Linux
+            items:
+            - name: Configure security policies and settings
+              href: linux-preferences.md
+            - name: Static proxy configuration
+              href: linux-static-proxy-configuration.md
+            - name: Configure antivirus scans
               items:
-              - name: Configure security policies and settings
-                href: linux-preferences.md
-              - name: Static proxy configuration
-                href: linux-static-proxy-configuration.md
-              - name: Configure antivirus scans
-                items:
-                - name: Schedule antivirus scans using Anacron
-                  href: schedule-antivirus-scan-anacron.md
-                - name: Schedule antivirus scans using Crontab
-                  href: schedule-antivirus-scan-crontab.md
-              - name: Network protection for Linux
-                href: network-protection-linux.md
-              - name: Configure and validate exclusions on Linux
-                href: linux-exclusions.md
-              - name: Configure eBPF-based sensor
-                href: linux-support-ebpf.md 
-              - name: Detect and block Potentially Unwanted Applications
-                href: linux-pua.md
-              - name: Configure Offline Security Intelligence Update
-                href: linux-support-offline-security-intelligence-update.md
+              - name: Schedule antivirus scans using Anacron
+                href: schedule-antivirus-scan-anacron.md
+              - name: Schedule antivirus scans using Crontab
+                href: schedule-antivirus-scan-crontab.md
+            - name: Network protection for Linux
+              href: network-protection-linux.md
+            - name: Configure and validate exclusions on Linux
+              href: linux-exclusions.md
+            - name: Configure eBPF-based sensor
+              href: linux-support-ebpf.md 
+            - name: Detect and block Potentially Unwanted Applications
+              href: linux-pua.md
+            - name: Configure Offline Security Intelligence Update
+              href: linux-support-offline-security-intelligence-update.md
           - name: Update Defender for Endpoint on Linux
             items: 
             - name: Update Defender for Endpoint on Linux
@@ -307,7 +307,7 @@
               href: linux-update-mde-linux.md
           - name: Privacy for Defender for Endpoint on Linux
             href: linux-privacy.md
-          - name: Resources for Microsoft Defender for Endpoint on Linux
+          - name: Additional resources for Defender for Endpoint on Linux
             href: linux-resources.md
         - name: Mobile Threat Defense
           items:
@@ -781,6 +781,8 @@
       - name: Configure Microsoft Defender Antivirus scans
         href: schedule-antivirus-scans.md
         items:
+        - name: Schedule scans using Intune
+          href: schedule-antivirus-scans-intune.md
         - name: Schedule scans using Group Policy
           href: schedule-antivirus-scans-group-policy.md
         - name: Schedule scans using PowerShell

CloudAppSecurityDocs/media/file-drawer.png renamed to CloudAppSecurityDocs/media/file-policies/file-drawer.png

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 04/04/2025
+ms.date: 04/30/2025
 search.appverid: met150
 ---
 
@@ -253,8 +253,8 @@ For rules with the "Rule State" specified:
 
 > [!NOTE]
 > To protect your environment from vulnerable drivers, you should first implement these:
-> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
-> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
+> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
+> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
 > For Windows 11 or later, and Windows Server core 1809 or later, or Windows Server 2019 or later, you should also enable [Microsoft Windows vulnerable driver blocklist](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), 
 > Then as another layer of defense, you should enable this attack surface reduction rule.
 
@@ -544,7 +544,9 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 > [!NOTE]
-> If `CcmExec.exe` (SCCM Agent) is detected on the device, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
+> If you're utilizing Configuration Manager (CM, previously known as MEMCM or SCCM) with CcmExec.exe` (SCCM Agent), we recommend running it in audit mode for at least 60 days. 
+> Once you're prepared to switch to block mode, ensure you deploy the appropriate ASR rules, considering any necessary rule exclusions.
+
 
 Intune name: `Persistence through WMI event subscription`
 

CloudAppSecurityDocs/media/file-policies/screenshot-showing-different-file-types.png

@@ -6,7 +6,7 @@ description: Windows Server includes automatic exclusions, based on server role.
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 03/28/2025
+ms.date: 05/01/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.topic: conceptual
@@ -30,21 +30,17 @@ search.appverid: met150
 
 - Windows Server
 
+## Important notes about automatic exclusions on Windows Server
 
-> [!IMPORTANT]
-> ## Important notes about automatic exclusions on Windows Server
->
-> - [Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) take precedence over automatic exclusions. When a custom exclusion is set for a path that also has a duplicate automatic or built-in exclusion, the custom exclusion will always apply.
-> - Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning. Other scan activity, for example [Network Inspection](network-protection.md) and [Behavior Monitoring](behavior-monitor.md), will not be excluded. To exclude other scan types, please use custom exclusions.
-> - Automatic exclusions aren't honored during a [quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). To exclude other scan types, please use custom exclusions.
-> - Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
-> - Appropriate exclusions must be set for software that isn't included with the operating system.
-> - The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in and automatic exclusions. 
+- [Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) take precedence over automatic exclusions. When a custom exclusion is set for a path that also has a duplicate automatic or built-in exclusion, the custom exclusion will always apply.
+- Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning. Other scan activity, for example [Network Inspection](network-protection.md) and [Behavior Monitoring](behavior-monitor.md), will not be excluded. To exclude other scan types, please use custom exclusions.
+- Automatic exclusions aren't honored during a [quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). To exclude other scan types, please use custom exclusions.
+- Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Appropriate exclusions must be set for software that isn't included with the operating system.
+- The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. 
 
-## Overview
-
-This article describes types of exclusions that you don't have to define for Microsoft Defender Antivirus: 
+This article describes the two main types of exclusions that you don't have to define for Microsoft Defender Antivirus: 
 
 - [Automatic exclusions](#automatic-server-role-exclusions) for roles on Windows Server 2016 and later. 
 - [Built-in exclusions](#built-in-exclusions) for operating system files on all versions of Windows. 
@@ -240,10 +236,9 @@ This section lists the folder exclusions that are delivered automatically when y
 
 ## Built-in exclusions
 
-> [!NOTE]
-> - Please see [Important Notes](#important-notes-about-automatic-exclusions-on-windows-server)
-> - Default locations could be different than the locations that are described in this article.
-> - The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in exclusions. 
+Make sure to review [Important notes about automatic exclusions](#important-notes-about-automatic-exclusions-on-windows-server) (in this article). Keep in mind that default locations could be different than the locations that are described in this article.
+
+The list of built-in exclusions applied by Microsoft Defender Antivirus is kept up to date as the threat landscape changes. This article lists some, but not all, of the built-in exclusions. 
 
 Because Microsoft Defender Antivirus is built into Windows, it doesn't require exclusions for operating system files on any version of Windows. 
 
@@ -396,9 +391,7 @@ If necessary, you can add or remove custom exclusions. To do that, see the follo
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
 - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-- [Configure Defender for Endpoint on Android features](android-configure.md)
-- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
+- [Onboard client devices running Windows or macOS to Microsoft Defender for Endpoint](onboard-client.md)
+- [Onboard servers through Microsoft Defender for Endpoint's onboarding experience](onboard-server.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]