Merge branch 'main' into diannegali-updatethreatactorlist

Author: diannegali

defender-endpoint/android-configure-mam.md

@@ -14,7 +14,7 @@ ms.collection:
 - mde-android
 ms.topic: conceptual
 ms.subservice: android
-ms.date: 07/25/2024
+ms.date: 08/08/2024
 ---
 
 # Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)
@@ -124,14 +124,14 @@ End users also need to take steps to install Microsoft Defender for Endpoint on
 
 1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.
 
-2. Select **Continue**. A screen is presented which recommends downloading and setting up of Microsoft Defender for Endpoint on Android app.
+2. Select **Continue**. A screen is presented which recommends downloading and setting up of the Microsoft Defender: Antivirus (Mobile) app.
 
 3. Select **Download**. You'll be redirected to the app store (Google play).
 
-4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.
-
-   :::image type="content" source="media/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen." lightbox="media/download-mde.png":::
+4. Install the Microsoft Defender: Antivirus (Mobile) app and go back to the managed app onboarding screen.
 
+    :::image type="content" source="media/mam-flow.png" alt-text="Shows the procedure of downloading Microsoft Defender: Antivirus (Mobile) app." lightbox="media/mam-flow.png":::
+   
 5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You'll automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.
 
 6. Select **Continue** to log into the managed application.

defender-endpoint/configure-endpoints-mdm.md

@@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 03/28/2024
+ms.date: 08/12/2024
 ---
 
 # Onboard Windows devices to Defender for Endpoint using Intune 
@@ -65,31 +65,39 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 
-1. Get the offboarding package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com) as follows:
 
-   2. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
+   1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
 
-   3. Select Windows 10 or Windows 11 as the operating system.
+   2. Select **Windows 10 or Windows 11** as the operating system.
 
-   4. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
+   3. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
 
-   5. Click **Download package**, and save the .zip file.
+   4. Click **Download package**, and save the .zip file.
 
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named `WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding`.
 
-3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
+3. In Microsoft Intune admin center, create a custom configuration policy.
 
-   - OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
-   - Date type: String
-   - Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
+   1. In the navigation pane, select **Devices** \> **By platform** \> **Windows** \> **Manage Devices** \> **Configuration**.
+   2. Under **Policies** click **Create** \> **New Policy**.
+   3. In the **Create a profile** slide out, select **Windows 10 and later** as **Platform** and **Templates** as **Profile Type**.
+   4. Under **Template Name**, click the **Custom** template and click **Create**.
+   5. Enter a value for **Name** and click **Next**. 
+   6. Under **Configuration settings**, click **Add** and use the following OMA-URI settings.
+      - Name: Provide a name
+      - OMA-URI: `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding`
+      - Date type: String
+      - Value: *Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file*
+   7. Make the appropriate group assignments, applicability rules, and on the **Review + create** step, click the **Create** button to finish the policy.
 
 For more information on Microsoft Intune policy settings, see [Windows 10 policy settings in Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10).
 
 > [!NOTE]
 > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
 
 > [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the device to stop sending sensor data to Defender for Endpoint, but data from the device, including references to any alerts it has, is retained for up to 6 months.
 
 ## Related articles
 

defender-endpoint/data-storage-privacy.md

@@ -16,7 +16,7 @@ ms.collection:
 - essentials-compliance
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 05/14/2024
+ms.date: 08/12/2024
 ---
 
 # Microsoft Defender for Endpoint data storage and privacy
@@ -63,7 +63,7 @@ In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wi
 
 ## Data storage location
 
-Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, or Switzerland. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
+Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
 
 Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
 

defender-endpoint/ios-troubleshoot.md

@@ -32,8 +32,8 @@ ms.date: 06/19/2024
 This article provides troubleshooting information to help you address issues that might arise with Microsoft Defender for Endpoint on iOS.
 
 > [!NOTE]
-> - Defender for Endpoint on iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-> - For customers who don't want to set up a VPN, there's an option to disable Web Protection and deploy Defender for Endpoint without that feature. In such scenario, Defender sends the heartbeat to the Microsoft Defender portal whenever user opens the app.
+> - Defender for Endpoint on iOS requires configuring its VPN to activate the Web Protection feature and to send periodic status signals while the app operates in the background. This VPN is local and pass-through, meaning it does not route traffic through a remote VPN server.
+> - Customers who opt not to set up a Defender for Endpoint VPN can disable Web Protection and still deploy Defender for Endpoint. In such cases, Defender for Endpoint will only send status signals to the Microsoft Defender portal when the user opens the app. If the app is not opened for 7 days, the device may be marked as inactive in the Microsoft Defender Portal.
 
 ## Apps don't work when VPN is turned on
 

defender-endpoint/mde-plugin-wsl.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 08/05/2024
+ms.date: 08/12/2024
 search.appverid: MET150
 ---
 
@@ -145,28 +145,12 @@ For example, if your host machine has both `Winhttp proxy` and `Network & Intern
 
 ## Connectivity test for Defender running in WSL
 
-The following procedure describes how to confirm that Defender in Endpoint in WSL has internet connectivity.
+The defender connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
 
-1. Open Registry Editor as an administrator.
-
-2. Create a registry key with the following details:
-
-   - **Name**: `ConnectivityTest`
-   - **Type**: `REG_DWORD`
-   - **Value**: `Number of seconds plug-in must wait before running the test. (Recommended: 60 seconds)`
-   - **Path**:  `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
-
-3. Once the registry is set, restart wsl using the following steps:
-
-   1. Open Command Prompt and run the command, `wsl --shutdown`.
-
-   2. Run the command `wsl`.
-
-4. Wait for five minutes, and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test).
-
-   If successful, you can see that the connectivity test was successful. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from WSL to Defender for Endpoint service URLs is failing.
+On starting your wsl machine, wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test). If successful, you can see that the connectivity test was a success. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from MDE plug-in for WSL to Defender for Endpoint service URLs is failing.
 
 > [!NOTE]
+> The `ConnectivityTest` registry key is no longer supported.
 > To set a proxy for use in WSL containers (the distributions running on the subsystem), see [Advanced settings configuration in WSL](/windows/wsl/wsl-config).
 
 ## Verifying functionality and SOC analyst experience
@@ -187,6 +171,31 @@ After installing the plug-in, the subsystem and all its running containers are o
 
 The timeline is populated, similar to Defender for Endpoint on Linux, with events from inside the subsystem (file, process, network). You can observe activity and detections in the timeline view. Alerts and incidents are generated as appropriate as well.
 
+## Setting up custom tag for your WSL machine
+
+The plug-in onboards the WSL machine with the tag `WSL2`. Should you or your organization need a custom tag, please follow the steps outlined below:
+
+1. Open Registry Editor as an administrator
+
+2. Create a registry key with the following details:
+
+   - Name: `GROUP`
+   - Type: `REG_SZ` or registry string
+   - Value: `Custom tag`
+   - Path: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging`
+
+3. Once the registry is set, restart wsl using the following steps:
+
+    1. Open Command Prompt and run the command, `wsl --shutdown`.
+
+    2. Run the `wsl` command.
+
+4. Wait for 5-10 minutes for the portal to reflect the changes. 
+
+> [!NOTE]
+> The custom tag set in registry will be followed by a `_WSL2`.
+> For example, if the registry value set is `Microsoft`, then the custom tag will be `Microsoft_WSL2` and the same will be visible in the portal.
+
 ### Test the plug-in
 
 To test the plug-in after installation, follow these steps:
@@ -371,8 +380,6 @@ DeviceProcessEvents
 
    1. In Control Panel, go to **Programs** > **Programs and Features**.
 
-   2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**.
-
-   This should fix the problem by placing the right files in the expected directories.
+   2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
 
    :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::

defender-endpoint/media/mam-flow.png

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 08/08/2024
+ms.date: 08/12/2024
 audience: ITPro
 ms.topic: reference
 author: siosulli
@@ -212,12 +212,12 @@ Updates are released for x86, x64, and ARM64 Windows architecture.
 
 For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
 
-After a new package version is released, support for the previous two versions is reduced to technical support only.
+After a new package version is released, support for the previous two versions is reduced to technical support only. To view a list of previous versions, see [Previous DISM updates (no longer supported)](msda-updates-previous-versions-technical-upgrade-support.md#previous-dism-updates-no-longer-supported).
 
-### 1.415.235.0
+### 1.415.295.0
 
-- Defender package version: `1.415.235.0`
-- Security intelligence version: `1.415.235.0`
+- Defender package version: `1.415.295.0`
+- Security intelligence version: `1.415.295.0`
 - Engine version: `1.24070.1`
 - Platform version: `4.18.24070.5`
 
@@ -229,12 +229,12 @@ After a new package version is released, support for the previous two versions i
 
 - None
 
-### 1.411.111.0
+### 1.415.235.0
 
-- Defender package version: `1.411.111.0`
-- Security intelligence version: `1.411.111.0`
-- Engine version: `1.24050.2`
-- Platform version: `4.18.24050.7`
+- Defender package version: `1.415.235.0`
+- Security intelligence version: `1.415.235.0`
+- Engine version: `1.24070.1`
+- Platform version: `4.18.24070.5`
 
 #### Fixes
 
@@ -244,12 +244,12 @@ After a new package version is released, support for the previous two versions i
 
 - None
 
-### 1.411.9.0
+### 1.411.111.0
 
-- Defender package version: `1.411.9.0`
-- Security intelligence version: `1.411.9.0`
-- Engine version: `1.24040.1`
-- Platform version: `4.18.24040.4`
+- Defender package version: `1.411.111.0`
+- Security intelligence version: `1.411.111.0`
+- Engine version: `1.24050.2`
+- Platform version: `4.18.24050.7`
 
 #### Fixes
 

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -53,6 +53,10 @@ ms.date: 02/22/2024
 
 - For more information on how to assign licenses, see [Assign licenses to users](/azure/active-directory/users-groups-roles/licensing-groups-assign).
 
+> [!NOTE]
+> - Defender for Endpoint on iOS requires configuring its VPN to activate the Web Protection feature and to send periodic status signals while the app operates in the background. This VPN is local and pass-through, meaning it does not route traffic through a remote VPN server.
+> - Customers who opt not to set up a Defender for Endpoint VPN can disable Web Protection and still deploy Defender for Endpoint. In such cases, Defender for Endpoint will only send status signals to the Microsoft Defender portal when the user opens the app. If the app is not opened for 7 days, the device may be marked as inactive in the Microsoft Defender Portal.
+
 ### For Administrators
 
 - Access to the Microsoft Defender portal.
@@ -66,6 +70,8 @@ ms.date: 02/22/2024
     > - Microsoft Defender for Endpoint now extends protection to an organization's data within a managed application for those who aren't using mobile device management (MDM) but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).
     > - In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
 
+
+
 ### System Requirements
 
 - iOS device running iOS 15.0 and above. iPads are also supported.

defender-endpoint/microsoft-defender-endpoint-ios.md

@@ -6,7 +6,7 @@ ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 08/07/2024
+ms.date: 08/12/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -1100,12 +1100,27 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 #### Known issues
 
-- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.
+- When this update is installed, the device needs the jump package `4.18.2001.10` to be able to update to the latest platform version.
 
 ## Previous DISM updates (no longer supported)
 
 The versions listed in this section are no longer supported. To view current versions, see [Updates for Deployment Image Servicing and Management (DISM)](microsoft-defender-antivirus-updates.md#updates-for-deployment-image-servicing-and-management-dism).
 
+### 1.411.9.0
+
+- Defender package version: `1.411.9.0`
+- Security intelligence version: `1.411.9.0`
+- Engine version: `1.24040.1`
+- Platform version: `4.18.24040.4`
+
+#### Fixes
+
+- None
+
+#### Additional information
+
+- None
+
 ### 20230809.1
 
 - Defender package version: `20230809.1`

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -17,7 +17,7 @@ ms.custom:
 - migrationguides
 - admindeeplinkDEFENDER
 ms.topic: how-to
-ms.date: 10/24/2023
+ms.date: 08/12/2024
 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho, yongrhee
 search.appverid: met150
 ---
@@ -77,12 +77,14 @@ Deployment methods vary, depending on operating system and preferred methods. Th
 
 ## Step 2: Run a detection test
 
+<!---Add this back later when the link works: Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>.---> 
+
 To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
 
 |Operating system|Guidance|
 |---|---|
 |Windows 10 or later<br/><br/>Windows Server 2022<br/><br/>Windows Server 2019<br/><br/>Windows Server, version 1803, or later<br/><br/>Windows Server 2016<br/><br/>Windows Server 2012 R2|See [Run a detection test](run-detection-test.md).|
-|macOS (see [System requirements](microsoft-defender-endpoint-mac.md)|Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>. <br/><br/> For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md).|
+|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))| See [Run the connectivity test](troubleshoot-cloud-connect-mdemac.md#run-the-connectivity-test).|
 |Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements))|1. Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.<br/><br/>2. Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.<br/><br/>3. Run the following command to list any detected threats: `mdatp threat list`.<br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).|
 
 ## Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints