Merge pull request #901 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 07/08

Author: Stacyrch140

defender-endpoint/machines-view-overview.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 04/17/2024
+ms.date: 07/08/2024
 ---
 
 # Device inventory
@@ -32,7 +32,7 @@ ms.date: 04/17/2024
 The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
 
 > [!NOTE]
-> The device inventory is available in different Microsoft Defender XDR services. The information available to you can differ depending on your license. To get the most complete set of capabilities, use [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md).
+> The device inventory is available in Microsoft Defender XDR services. The information that's available to you can differ depending on your license. To get the most complete set of capabilities, use [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md).
 > 
 > Risk Level, which can influence enforcement of Conditional Access and other security policies in Microsoft Intune, is now available for Windows devices.
 
@@ -85,7 +85,7 @@ Use the **Onboarding Status** column to sort and filter by discovered devices, a
 
 :::image type="content" alt-text="Image of devices list with list of devices." source="media/device-inventory.png" lightbox="media/device-inventory.png":::
 
-From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type:
+From the **Network devices** and **IoT devices** tabs, you also see information such as vendor, model, and device type:
 
 :::image type="content" alt-text="Image of network devices list." source="media/device-inventory-networkdevices.png" lightbox="media/device-inventory-networkdevices.png":::
 
@@ -129,26 +129,26 @@ The counts on the top of each tab are updated based on the current view.
 
 ## Use filters to customize the device inventory views
 
-Filter | Description
-:---|:---
-**Risk level** | The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
-**Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.</br></br> If the exposure level says "No data available," there are a few reasons why:</br>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).</br>- Device with stale agent (unlikely).
-**Criticality level** | The criticality level reflects how critical a device is for your organization. The possible levels are low, medium, high, or very high. Very high means that the device is considered a business critical asset. For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).
-**Transient devices** | By default transient devices are filtered out of the device inventory to reduce inventory noise. You can turn transient device filtering off as needed. Learn more about [transient device filtering](transient-device-tagging.md).
-**OS Platform** | Filter by the OS platforms you're interested in investigating </br></br>(_Computers and mobile and IoT devices only_).
-**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name isn't yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_).
-**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that stopped sending signals for more than seven days.</br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data.</br> Misconfigured devices can further be classified to: </br>  - No sensor data </br>  - Impaired communications </br>  For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).</br></br> (_Computers and mobile only_).
-**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint.</br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but isn't currently onboarded. Microsoft highly recommends onboarding these devices.</br> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint.</br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_).
-**Antivirus status** | Filter the view based on whether the antivirus status is disabled, not updated or unknown.</br></br> (_Computers and mobile only_).
-**First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_).
-**Tags** | Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md).
-**Internet facing** | Filter the list based on whether the device is internet facing.
-**Group** | Filter the list based on the group you're interested in investigating.</br></br> (_Computers and mobile only_).
-**Device value** | Filter the list based on whether the device is marked as high value or low value.
-**Exclusion state** | Filter the list based on whether the device is excluded or not. For more information, see [Exclude devices](exclude-devices.md).
-**Managed by** | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This issue could be due the running an outdated Windows version, GPO management, or another non-Microsoft MDM.</br></br> (_Computers and mobile only_)
-**Device Type** | Filter by the device type you're interested in investigating.</br></br> (_IoT devices only_)
-**Mitigation status** | Filter by isolation or containment status of a device.
+| Filter | Description |
+|---|---|
+| **Risk level** | The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. |
+| **Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.<br/><br/> If the exposure level says "No data available," there are a few reasons why:<br/>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.<br/>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).<br/>- Device with stale agent (unlikely). |
+| **Criticality level** | The criticality level reflects how critical a device is for your organization. The possible levels are `low`, `medium`, `high`, or `very high`. `Very high` means that the device is considered a business critical asset. For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management). |
+| **Transient devices** | By default transient devices are filtered out of the device inventory to reduce inventory noise. You can turn transient device filtering off as needed. Learn more about [transient device filtering](transient-device-tagging.md). |
+| **OS Platform** | Filter by the OS platforms you're interested in investigating <br/><br/>(*Computers and mobile and IoT devices only*). |
+| **Windows version** | Filter by the Windows versions you're interested in investigating. If `future version` appears in the Windows version field, it can mean:<br/><br/> - This is a pre-release build for a future Windows release<br/> - The build has no version name<br/> - The build version name isn't yet supported <br/><br/> In all these scenarios, where available, the full OS version can be seen in the device details page.<br/><br/> (*Computers and mobile only*)<br/><br/>Windows 11 WVD onboarding is supported; however, those devices might appear as WVD 10 in the **Device Inventory** and **Device** pages. |
+| **Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:<br/> - **Active**: Devices that are actively reporting sensor data to the service.<br/> - **Inactive**: Devices that stopped sending signals for more than seven days.<br/> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data.<br/> Misconfigured devices can further be classified to: <br/>  - No sensor data <br/>  - Impaired communications <br/>  For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).<br/><br/> (*Computers and mobile only*) |
+| **Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: <br/> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint.<br/> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but isn't currently onboarded. Microsoft highly recommends onboarding these devices.<br/> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint.<br/> - **Insufficient info**: The system couldn't determine the supportability of the device.<br/><br/> (*Computers and mobile only*) |
+| **Antivirus status** | Filter the view based on whether the antivirus status is disabled, not updated or unknown.<br/><br/> (*Computers and mobile only*) |
+| **First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.<br/><br/>(*Computers and mobile and IoT devices only*)|
+| **Tags** | Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md). |
+| **Internet facing** | Filter the list based on whether the device is internet facing. |
+| **Group** | Filter the list based on the group you're interested in investigating.<br/><br/> (*Computers and mobile only*) |
+| **Device value** | Filter the list based on whether the device is marked as high value or low value. |
+| **Exclusion state** | Filter the list based on whether the device is excluded or not. For more information, see [Exclude devices](exclude-devices.md). |
+| **Managed by** | `Managed by` indicates how the device is being managed. You can filter by:<br/> - Microsoft Defender for Endpoint<br/> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach<br/>- Microsoft Configuration manager (ConfigMgr)<br/> - Unknown: This issue could be due the running an outdated Windows version, GPO management, or another non-Microsoft MDM.<br/><br/> (*Computers and mobile only*) |
+| **Device Type** | Filter by the device type you're interested in investigating.<br/><br/> (*IoT devices only*) |
+| **Mitigation status** | Filter by isolation or containment status of a device. |
 
 ## Use columns to customize the device inventory views
 

defender-office-365/mdo-email-entity-page.md

@@ -476,7 +476,8 @@ The following actions are available at the top of the Email entity page:
 ² You can preview or download email messages that are available in Microsoft 365 mailboxes. Examples of when messages are no longer available in mailboxes include:
 
 - The message was dropped before delivery or delivery failed.
-- The message was _soft deleted_ (deleted from the Deleted items folder, which moves the message to the Recoverable Items\Deletions folder).
+- The message was _hard deleted_.
+- The message has a delivery location of _On-prem/External_.
 - ZAP moved the message to quarantine.
 
 :::image type="content" source="media/email-entity-available-actions.png" alt-text="Screenshot of the available actions at the top of the Email entity page." lightbox="media/email-entity-available-actions.png":::

defender-xdr/configure-email-notifications.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/11/2023
+ms.date: 07/08/2024
 ---
 
 # Configure alert notifications in Microsoft Defender XDR
@@ -37,6 +37,9 @@ You can set the alert severity levels that trigger notifications. You can also a
 
 If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
 
 ## Create rules for alert notifications

defender-xdr/deception-overview.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 05/02/2023
+ms.date: 07/08/2024
 ---
 
 # Manage the deception capability in Microsoft Defender XDR
@@ -50,6 +50,9 @@ The following table lists the requirements to enable the deception capability in
 > |Deployment requirements|Requirements:</br> - Defender for Endpoint is the primary EDR solution</br> - [Automated investigation and response capabilities in Defender for Endpoint](/defender-endpoint/configure-automated-investigations-remediation) is configured</br> - Devices are [joined](/entra/identity/devices/concept-directory-join/) or [hybrid joined](/entra/identity/devices/concept-hybrid-join/) in Microsoft Entra</br> - PowerShell is enabled on the devices</br> - The deception feature covers clients operating on Windows 10 RS5 and later in preview|
 > |Permissions|You must have one of the following roles assigned in the [Microsoft Entra admin center](https://entra.microsoft.com) or in the [Microsoft 365 admin center](https://admin.microsoft.com) to configure deception capabilities:</br> - Global administrator</br> - Security administrator</br> - Manage portal system settings|
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## What is deception technology?
 
 Deception technology is a security measure that provides immediate alerts of a potential attack to security teams, allowing them to respond in real-time. Deception technology creates fake assets like devices, users, and hosts that appear to belong to your network.

defender-xdr/investigate-alerts.md

@@ -79,8 +79,8 @@ An alert can have system tags and/or custom tags with certain color backgrounds.
 You'll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:
 
 - For Microsoft Entra global roles:
-  - Global administrator
-  - Security administrator
+  - Global Administrator
+  - Security Administrator
   - Security Operator
   - Global Reader
   - Security Reader
@@ -91,6 +91,9 @@ You'll need to have any of the following roles to access Microsoft Defender for
 
 - A [custom role](custom-roles.md)
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Analyze an alert
 
 To see the main alert page, select the name of the alert. Here's an example.

defender-xdr/m365d-configure-auto-investigation-response.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 06/11/2024
+ms.date: 07/08/2024
 ms.collection:
 - m365-security
 - tier2
@@ -46,6 +46,9 @@ Then, after you're all set up, you can [view and manage remediation actions in t
 |Protection for email content and Office files|<ul><li>[Microsoft Defender for Office 365 is configured](/defender-office-365/mdo-deployment-guide#step-2-configure-protection-policies)</li><li>[Automated investigation and remediation capabilities in Defender for Endpoint are configured](/defender-endpoint/configure-automated-investigations-remediation) (required for manual response actions, such as deleting email messages on devices)</li></ul>|
 |Permissions|To configure automated investigation and response capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).|
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Review or change the automation level for device groups
 
 Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure: