Merge branch 'main' into docs-editor/mtd-1728304149

Author: denisebmsft

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -7,15 +7,15 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.reviewer: sugamar, niwelton
+ms.reviewer: sugamar, yongrhee
 manager: deniseb
 ms.custom: asr
 ms.topic: reference
 ms.collection: 
 - m365-security
 - tier2
 - mde-asr
-ms.date: 09/07/2024
+ms.date: 10/07/2024
 search.appverid: met150
 ---
 
@@ -109,11 +109,11 @@ The following ASR rules DO NOT honor Microsoft Defender for Endpoint Indicators
 The following table lists the supported operating systems for rules that are currently released to general availability. The rules are listed alphabetical order in this table.
 
 > [!NOTE]
-> Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the minimum Windows Server build is version 1809 or later.
+> Unless otherwise indicated, the minimum Windows10 build is version 1709 (RS3, build 16299) or later; the minimum WindowsServer build is version 1809 or later.
 >
-> Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
+> Attack surface reduction rules in WindowsServer2012R2 and WindowsServer2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 
-| Rule name| Windows&nbsp;11 <br>and<br> Windows&nbsp;10 | Windows&nbsp;Server <br> 2022 <br>and<br>  Windows&nbsp;Server <br> 2019 | Windows Server | Windows&nbsp;Server <br> 2016 <sup>[[1, 2](#fn1)]</sup> | Windows&nbsp;Server <br> 2012&nbsp;R2 <sup>[[1, 2](#fn1)]</sup> |
+| Rule name| Windows11 <br>and<br> Windows10 | WindowsServer <br> 2022 <br>and<br>  WindowsServer <br> 2019 | Windows Server | WindowsServer <br> 2016 <sup>[[1, 2](#fn1)]</sup> | WindowsServer <br> 2012R2 <sup>[[1, 2](#fn1)]</sup> |
 |:---|:---:|:---:|:---:|:---:|:---:|
 | [Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y | Y <br> version 1803 (Semi-Annual Enterprise Channel) or later | Y | Y |
 | [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | Y <br> version 1809 or later <sup>[[3](#fn1)]</sup> | Y | Y | Y | Y |
@@ -137,9 +137,9 @@ The following table lists the supported operating systems for rules that are cur
 
 (<a id="fn1">1</a>) Refers to the modern unified solution for Windows Server 2012 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
 
-(<a id="fn1">2</a>) For Windows&nbsp;Server 2016 and Windows&nbsp;Server 2012&nbsp;R2, the minimum required version of Microsoft Endpoint Configuration Manager is version 2111.
+(<a id="fn1">2</a>) For WindowsServer 2016 and WindowsServer 2012R2, the minimum required version of Microsoft Endpoint Configuration Manager is version 2111.
 
-(<a id="fn1">3</a>) Version and build number apply only to Windows&nbsp;10.
+(<a id="fn1">3</a>) Version and build number apply only to Windows10.
 
 ## ASR rules supported configuration management systems
 
@@ -180,31 +180,32 @@ Toast notifications are generated for all rules in Block mode. Rules in any othe
 
 For rules with the "Rule State" specified:
 
-- ASR rules with \<ASR Rule, Rule State\> combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level **High**. Devices not at High cloud block level won't generate alerts for any <ASR Rule, Rule State> combinations
-- EDR alerts are generated for ASR rules in the specified states, for devices at cloud block level **High+**
+- ASR rules with `\ASR Rule, Rule State\` combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level "High". 
+- Devices that not at the high cloud block level don't generate alerts for any `ASR Rule, Rule State` combinations
+- EDR alerts are generated for ASR rules in the specified states, for devices at cloud block level "High+"
+- Toast notifications occur in block mode only and for devices at cloud block level "High"
 
-| Rule name: | Rule state: | Generates alerts in EDR? <br> (Yes&nbsp;\|&nbsp;No) | Generates toast notifications? <br> (Yes&nbsp;\|&nbsp;No) |
-|---|:---:|:---:|:---:|
-|   |   |  _Only for devices at cloud block level **High+**_ | _In Block mode only_ and _only for devices at cloud block level **High**_|
+| Rule name | Rule state | EDR alerts | Toast notifications |
+|---|---|---|---|
 |[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) |   | N  | Y |
 |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | Block  | Y   | Y  |
 |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) |   | N | Y |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |   | N | Y |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |   | N | N |
 |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) |   | Y  | Y  |
 |[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) |   | N | Y |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) |  Audit&nbsp;\|&nbsp;Block | Y \| Y   | N \| Y  |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) |  Audit or Block | Y (in block mode) <br/>N (in audit mode) | Y (in block mode)  |
 |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | Block | Y   | Y  |
 |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) |   | N | Y |
 |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)  |   | N | Y |
 |[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |  |  N | Y |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) |  Audit&nbsp;\|&nbsp;Block | Y \| Y   | N \| Y  |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) |  Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode) | 
 |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) |   | N | Y |
 |[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | | N | N |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Audit&nbsp;\|&nbsp;Block | Y \| Y   | N \| Y  |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode)  |
 |[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | | N | N |
 |[Block Webshell creation for Servers](#block-webshell-creation-for-servers) |   | N | N |
 |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) |   | N | Y |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Audit&nbsp;\|&nbsp;Block | Y \| Y   | N \| Y  |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode)  |
 
 ## ASR rule to GUID matrix
 
@@ -239,9 +240,9 @@ For rules with the "Rule State" specified:
 
 _Warn mode_ is a block-mode type that alerts users about potentially risky actions. Users can choose to bypass the block warning message and allow the underlying action. Users can select **OK** to enforce the block, or select the bypass option - **Unblock** - through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.
 
-When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.
+When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule is in blocked mode.
 
-You can also set a rule in warn mode via PowerShell by specifying the AttackSurfaceReductionRules_Actions as "Warn". For example:
+You can also set a rule in warn mode via PowerShell by specifying the `AttackSurfaceReductionRules_Actions` as "Warn". For example:
 
 ```powershell
 Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn

defender-endpoint/manage-gradual-rollout.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 09/25/2024
+ms.date: 10/07/2024
 ---
 
 # Manage the gradual rollout process for Microsoft Defender updates
@@ -90,7 +90,7 @@ The following update channels are available:
 
 ### Update channels for security intelligence updates
 
-You can also assign a machine to a channel to define the cadence in which it receives SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly process, there's no Beta channel and this gradual release cycle occurs multiple times a day.
+You can also assign a machine to a channel to define the cadence in which it receives SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly process, this gradual release cycle occurs multiple times a day.
 
 |Channel name|Description|Application|
 |---|---|---|

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 09/10/2024
+ms.date: 10/07/2024
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -96,8 +96,8 @@ In general you need to take the following steps:
   - Ubuntu 22.04 LTS
   - Ubuntu 24.04 LTS
   - Debian 9 - 12
-  - SUSE Linux Enterprise Server 12 or higher
-  - SUSE Linux Enterprise Server 15 or higher
+  - SUSE Linux Enterprise Server 12.x
+  - SUSE Linux Enterprise Server 15.x
   - Oracle Linux 7.2 or higher
   - Oracle Linux 8.x
   - Oracle Linux 9.x

defender-for-iot/enterprise-iot-get-started.md

@@ -13,7 +13,7 @@ ms.topic: how-to
 
 Enterprise IoT security improves the monitoring and protection of the IoT devices in your network, such as printers, smart TVs, Voice over Internet Protocol (VoIP) devices, conferencing systems and purpose-built, proprietary devices.
 
-The security monitoring includes IoT related alerts, vulnerabilities, and recommendations that are integrated with your existing Microsoft Defender for Endpoint data. To understand more about the integration between Defender for Endpoint and Defender for IoT, see [enterprise IoT overview](enterprise-iot.md).
+The security monitoring includes IoT related vulnerabilities and recommendations that are integrated with your existing Microsoft Defender for Endpoint data. To understand more about the integration between Defender for Endpoint and Defender for IoT, see [enterprise IoT overview](enterprise-iot.md).
 
 In this article you'll learn how to add enterprise IoT to your Microsoft Defender portal and use the IoT specific security features to protect your IoT environment.
 

defender-for-iot/enterprise-iot-licenses.md

@@ -11,21 +11,21 @@ ms.topic: overview
 
 # Set up and manage enterprise IoT security licenses
 
-Enterprise IoT security improves the monitoring and protection of the IoT devices in your network, such as printers, smart TVs, Voice over Internet Protocol (VoIP) devices, conferencing systems and purpose-built, proprietary devices. The security monitoring includes IoT related alerts, vulnerabilities, and recommendations that are integrated with your existing Microsoft Defender for Endpoint data.
+Enterprise IoT security improves the monitoring and protection of the IoT devices in your network, such as printers, smart TVs, Voice over Internet Protocol (VoIP) devices, conferencing systems and purpose-built, proprietary devices. The security monitoring includes IoT related vulnerabilities and recommendations that are integrated with your existing Microsoft Defender for Endpoint data.
 
 [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
 
 ## Enterprise IoT licenses
 
 To add enterprise IoT security to Defender for Endpoint, there are two options available depending on your existing license:
 
-- Customers with Microsoft 365 E5 (ME5) or E5 Security plans already have enterprise IoT available, but just need to turn on the feature. Each license supports five devices per ME5/ E5 Security license.
+- Customers with Microsoft 365 E5 (ME5) or E5 Security plans have access to enterprise IoT capapbilities as part of their existing subscription, and just need to enable it. Each license supports five devices per ME5/ E5 Security license.
 
     To turn on enterprise IoT, see [ME5/ E5 Security customers](enterprise-iot-get-started.md#me5-e5-security-customers).
 
     To turn off enterprise IoT, see [turn off enterprise IoT security](enterprise-iot-manage.md#turn-off-enterprise-iot-security).
 
-- Customers with a Defender for Endpoint P2 license only can use a trial standalone license for monitoring enterprise IoT devices. A trial license supports 100 devices.
+- Customers with a Defender for Endpoint P2 license only can try out the product for free with a trial standalone license for monitoring enterprise IoT devices. A trial license supports 100 devices.
 
     Start your enterprise IoT trial using the [Microsoft Defender for IoT - EIoT Device License - add-on wizard](https://signup.microsoft.com/get-started/signup?products=b2f91841-252f-4765-94c3-75802d7c0ddb&ali=1&bac=1) or via the [Microsoft 365 admin center](https://portal.office.com/AdminPortal/Home#/catalog).
 

defender-for-iot/enterprise-iot-manage.md

@@ -13,7 +13,7 @@ ms.topic: how-to
 
 Enterprise IoT security improves the monitoring and protection of the IoT devices in your network, such as printers, smart TVs, Voice over Internet Protocol (VoIP) devices, conferencing systems and purpose-built, proprietary devices.
 
-When enterprise IoT is activated, the data for alerts, recommendations, and vulnerabilities is shown in the Microsoft Defender portal.
+When enterprise IoT is activated, the data for recommendations and vulnerabilities is shown in the Microsoft Defender portal.
 
 ## View enterprise IoT data in the Defender portal
 

defender-for-iot/enterprise-iot.md

@@ -19,7 +19,7 @@ While the number of IoT devices continues to grow, they often lack the security
 
 ## Enterprise IoT monitoring in the Defender portal
 
-Extend Microsoft Defender for IoT's security features to include enterprise IoT devices. Add the enterprise IoT security feature to your existing Microsoft Defender for Endpoint license, and view related alerts, vulnerabilities, and recommendations for IoT devices that are seemlessly integrated into the Microsoft Defender portal.
+Extend Microsoft Defender for IoT's security features to include enterprise IoT devices. Add the enterprise IoT security feature to your existing Microsoft Defender for Endpoint license, and view related vulnerabilities and recommendations for IoT devices that are seemlessly integrated into the Microsoft Defender portal.
 
 :::image type="content" source="media/enterprise-iot/eiot-architecture.png" alt-text="The architecture showing the use of enterprise IoT":::
 
@@ -31,13 +31,7 @@ Extend Microsoft Defender for IoT's security features to include enterprise IoT
 
 ## Enterprise IoT data in the Defender portal
 
-Enterprise IoT data for features such as alerts, recommendations and vulnerabilities, seamlessly integrates with other data in the Defender portal.
-
-### Alerts
-
-Most Defender for Endpoint alerts are also relevant for enterprise IoT devices, such as alerts for scans involving managed endpoints. Alerts for enterprise IoT devices detected by Defender for Endpoint are only available in Defender for Endpoint.
-
-For more information, see [Alerts queue in Microsoft 365 Defender](/defender-endpoint/alerts-queue).
+Enterprise IoT data for features such as recommendations and vulnerabilities, seamlessly integrates with other data in the Defender portal.
 
 ### Recommendations
 

defender-for-iot/media/enterprise-iot/eiot-architecture.png

@@ -27,7 +27,7 @@ You can work with these different management portals:
 |Defender for IoT in the Defender portal (Preview)|Microsoft Defender customers can use this portal for a unified IT/OT experience, extending Defender XDR protection to OT environments. [Learn about the main use cases](#what-are-the-main-defender-for-iot-use-cases).|[Get started](get-started.md) with Defender for IoT in the Defender portal.|
 |Defender for IoT in the classic, Azure portal|All customers can use this portal to identify OT devices, vulnerabilities, and threats in the Azure portal.|See the [Defender for IoT on Azure overview](/azure/defender-for-iot/organizations/overview).|
 
-Protection for enterprise IoT devices is available for Microsoft Defender customers. These customers can enable protection for enterprise IoT devices, like printers, smart TVs, and conferencing systems and purpose-built, proprietary devices. [Get started](/azure/defender-for-iot/organizations/eiot-sensor) with enterprise IoT monitoring.
+Protection for enterprise IoT devices is available for Microsoft Defender customers. These customers can enable protection for enterprise IoT devices, like printers, smart TVs, and conferencing systems and purpose-built, proprietary devices. [Get started](/defender-for-iot/enterprise-iot-get-started) with enterprise IoT monitoring.
 
 ## Who uses Defender for IoT?
 

defender-for-iot/microsoft-defender-iot.md

@@ -20,7 +20,13 @@ This article describes features available in Microsoft Defender for IoT in the D
 
 |Service area  |Updates  |
 |---------|---------|
-| **OT networks** | - [New Building Management Systems (BMS) device category](#new-building-management-systems-bms-device-category) |
+| **OT networks** | - [Review unmanaged enterprise IoT devices in Microsoft Security Exposure Management Initiatives page](#review-unmanaged-enterprise-iot-devices-in-microsoft-security-exposure-management-initiatives-page)<br>- [New Building Management Systems (BMS) device category](#new-building-management-systems-bms-device-category)|
+
+### Review unmanaged enterprise IoT devices in Microsoft Security Exposure Management Initiatives page
+
+You can now review the new Enterprise IoT Security initiative in the Microsoft Security Exposure Management Initiatives page. This new initiative provides a metric-driven way of tracking exposure about unmanaged enterprise IoT devices.
+
+For more information, see the [Microsoft Security Exposure Management release notes](/security-exposure-management/whats-new#new-enterprise-iot-security-initiative).
 
 ### New Building Management Systems (BMS) device category