Merge branch 'main' into QuarRB-chrisda

Author: chrisda

defender-endpoint/TOC.yml

@@ -643,6 +643,8 @@
           href: schedule-antivirus-scans-powershell.md
         - name: Schedule scans using WMI
           href: schedule-antivirus-scans-wmi.md
+        - name: Full scan best practices
+          href: mdav-scan-best-practices.md
       - name: Use limited periodic scanning in Microsoft Defender Antivirus
         href: limited-periodic-scanning-microsoft-defender-antivirus.md
       - name: Protect Dev Drive using performance mode

defender-endpoint/android-intune.md

@@ -31,8 +31,8 @@ ms.date: 05/02/2024
 **Platforms**
 - Windows
 
-> [!TIP]
-> As a companion to this article, we recommend using the [Microsoft Defender for Endpoint automated setup guide](https://go.microsoft.com/fwlink/?linkid=2268615), which helps you utilize essential tools and automated features such as attack surface reduction and next-generation protection. When signed in to the Microsoft 365 admin center, this guide will customize your experience based on your environment. To review best practices without signing in and activating automated setup features, go to the [Microsoft 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2268522).
+[!INCLUDE [MDE automated setup guide](../includes/mde-automated-setup-guide.md)]
+
 ## Why attack surface reduction rules are important
 
 Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!

defender-endpoint/attack-surface-reduction.md

@@ -38,8 +38,7 @@ This article describes how to onboard specific Windows servers to Microsoft Defe
 
 For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](/windows/device-security/windows-security-baselines).
 
-> [!TIP]
-> As a companion to this article, we recommend using the [Microsoft Defender for Endpoint automated setup guide](https://go.microsoft.com/fwlink/?linkid=2268615), which helps you utilize essential tools and automated features such as attack surface reduction and next-generation protection. When signed in to the Microsoft 365 admin center, this guide will customize your experience based on your environment. To review best practices without signing in and activating automated setup features, go to the [Microsoft 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2268522).
+[!INCLUDE [MDE automated setup guide](../includes/mde-automated-setup-guide.md)]
 
 ## Windows Server onboarding overview
 

defender-endpoint/configure-server-endpoints.md

@@ -35,8 +35,8 @@ The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antiviru
 
 For optimal protection, configure the following settings for devices that are onboarded to Defender for Endpoint, whether Microsoft Defender Antivirus is the active antimalware solution or not:
 
-- Security intelligence updates (which also updates the scan engine)
-- Platform Update updates
+- [Security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) (which also updates the scan engine)
+- [Platform updates](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)
 
 For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).
 

defender-endpoint/defender-compatibility.md

@@ -24,7 +24,7 @@ ms.date: 11/06/2023
 
 **Applies to:**
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+
 
 > [!NOTE]
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)

defender-endpoint/device-timeline-event-flag.md

@@ -14,7 +14,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/12/2024
+ms.date: 05/17/2024
 ---
 
 # Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux 
@@ -67,7 +67,6 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
 - Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints.
 - The Linux endpoints need to have connectivity to the Mirror Server.
 - The Linux endpoint must be running any of the Defender for Endpoint supported distributions.
-
 - The Mirror Server can be either an HTTP/ HTTPS server or a network share server. For example, an NFS Server.
 - The Mirror Server needs to have access to the following URLs:
   - `https://github.com/microsoft/mdatp-xplat.git`
@@ -85,6 +84,7 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
 
   > [!NOTE]
   > This configuration may vary depending on the number of requests that are served and the load each server must process.
+
 ## Configuring the Mirror Server
 
 > [!NOTE]
@@ -138,7 +138,7 @@ The `settings.json` file consists of a few variables that the user can configure
 | Field Name               | Value  | Description                                            |
 |--------------------------|--------|--------------------------------------------------------|
 | `downloadFolder`         | string | Maps to the location where the script downloads the files to |
-| `downloadLinuxUpdates`   | bool   | When set to true, the script downloads the Linux specific updates to the `downloadFolder` |
+| `downloadLinuxUpdates`   | bool   | When set to `true`, the script downloads the Linux specific updates to the `downloadFolder` |
 | `logFilePath`            | string | Sets up the diagnostic logs at a given folder. This file can be shared with Microsoft for debugging the script if there are any issues |
 | `downloadMacUpdates`     | bool   | The script downloads the Mac specific updates to the `downloadFolder` |
 | `downloadPreviewUpdates` | bool   | Downloads the preview version of the updates available for the specific OS |
@@ -189,17 +189,21 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
     "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/",
     "offlineDefintionUpdateFallbackToCloud":false,
     "offlineDefinitionUpdate": "enabled"
-  }
+  },
+"features": {
+"offlineDefinitionUpdateVerifySig": "enabled"
+}
 }
 ```
 
 | Field Name                                | Values               | Comments                                            |
 |-------------------------------------------|----------------------|-----------------------------------------------------|
-| `automaticDefinitionUpdateEnabled`        | True / False         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively |
-| `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds) |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up |
-| `offlineDefinitionUpdate`                 | enabled / disabled   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
-| `offlineDefinitionUpdateFallbackToCloud`  | True / False         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
+| `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
+| `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. |
+| `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
+| `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
+| `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |
 
 > [!NOTE]
 > As of today the offline security intelligence update feature can be configured on Linux endpoints via managed json only. Integration with security settings management on the security portal is in our roadmap.
@@ -212,9 +216,9 @@ To test if the settings are applied correctly on the Linux endpoints, run the fo
 mdatp health --details definitions
 ```
 
-For example, a sample output would look like:
+A sample output would look like the following code snippet:
 
-```console
+```output
 user@vm:~$ mdatp health --details definitions
 automatic_definition_update_enabled         : true [managed]
 definitions_updated                         : Mar 14, 2024 at 12:13:17 PM
@@ -262,8 +266,8 @@ offline_definition_update_fallback_to_cloud : false[managed]
 
 ### Issues: MDATP update failure
 
-- Update stuck or update didn't trigger
-- Update failed
+- Update stuck, or update didn't trigger.
+- Update failed.
 
 ### Common Troubleshooting Steps
 
@@ -294,10 +298,12 @@ offline_definition_update_fallback_to_cloud : false[managed]
 ### Known Issues:
 
 Offline signature update might fail in the following scenario:  
-You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
+
+   You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
 
 Mitigation steps:  
-The fix for this will be available in the upcoming release. 
+
+A fix for this issue is planned to release soon. 
 
 ## Useful Links
 

defender-endpoint/linux-support-offline-security-intelligence-update.md

@@ -6,7 +6,7 @@ ms.author: dansimp
 author: dansimp
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 05/16/2024
+ms.date: 05/24/2024
 manager: dansimp
 audience: ITPro
 ms.collection:
@@ -65,6 +65,14 @@ There are multiple fixes and new changes in this release:
 - Stability and performance improvements.
 - Other bug fixes.
 
+**Known Issues**
+
+- There's a known issue with enrolling devices to MDE Security Management using "Device Tagging" mechanism in 24032.007 using mdatp_managed.json. To mitigate this issue, use the following mdatp CLI command to tag devices:
+
+   ```bash
+   sudo mdatp edr tag set --name GROUP --value MDE-Management
+   ```
+
 </details>
 
 <details>