Merge pull request #2520 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/defender-docs (branch public)

Author: Ruchika-mittal01

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -212,9 +212,11 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi
 
 - [Create "allow" indicators for Microsoft Defender for Endpoint](#indicators-for-defender-for-endpoint)
 - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
+- For Attack Surface Reduction Rule exclusions [Configure attack surface reduction per-rule exclusions](/defender-endpoint/attack-surface-reduction-rules-deployment-test#configure-attack-surface-reduction-per-rule-exclusions) or you can leverage [ASR rule only exclusions](/defender-endpoint/enable-attack-surface-reduction#exclude-files-and-folders-from-attack-surface-reduction-rules)
 
 > [!NOTE]
 > Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use [custom indicators](indicators-overview.md) for Microsoft Defender for Endpoint and exclusions for Microsoft Defender Antivirus.
+> ASR Rules can leverage ASR Rule Exclusions - where the exclusions apply to all ASR Rules; ASR per Rule Exclusions; Defender AV exclusions; as well as allow indicators defined in Custom Indicators.
 
 The procedures in this section describe how to define indicators and exclusions.
 

defender-endpoint/evaluate-mdav-using-gp.md

@@ -180,13 +180,13 @@ Disable local administrator AV settings such as exclusions, and enforce the poli
 | --- | --- |
 | Prevent users and apps from accessing dangerous websites | Enabled, Block |
 | This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server | Enabled |
-| Allow Network Protection Down Level | Network protection is enabled downlevel |
-| Allow Datagram Processing On Win Server | Datagram processing on Windows Server is enabled |
-| Disable DNS over TCP parsing | DNS over TCP parsing is enabled |
-| Disable HTTP parsing | HTTP parsing is enabled |
-| Disable SSH parsing | SSH parsing is enabled |
-| Disable TLS parsing | TLS parsing is enabled |
-| Enable DNS Sinkhole | DNS Sinkhole is enabled |
+
+To enable Network Protection for Windows Servers, for now, please use Powershell:
+
+| OS | Powershell cmdlet |
+| --- | --- |
+| Windows Server 2012 R2Windows Server 2022 and later	| set-MpPreference -AllowNetworkProtectionOnWinServer $true |
+| Windows Server 2016 and Windows Server 2012 R2 [unified MDE client](/defender-endpoint/update-agent-mma-windows#upgrade-to-the-new-unified-agent-for-defender-for-endpoint) | set-MpPreference -AllowNetworkProtectionOnWinServer $true and set-MpPreference -AllowNetworkProtectionDownLevel $true
 
 ## Attack Surface Reduction Rules
 
@@ -207,7 +207,7 @@ Disable local administrator AV settings such as exclusions, and enforce the poli
 | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb<br><br>**Note:** ( \[PREVIEW\] Block use of copied or impersonated system tools) | 1 (Block) |
 | d3e037e1-3eb8-44c8-a917-57927947596d<br><br>**Note:** (Block JavaScript or VBScript from launching downloaded executable content) | 1 (Block) |
 | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2<br><br>**Note:** (Block credential stealing from the Windows local security authority subsystem) | 1 (Block) |
-| a8f5898e-1dc8-49a9-9878-85004b8a61e6<br><br>**Note:** (Block Webshell creation for Servers) | 1 (Block) |
+| a8f5898e-1dc8-49a9-9878-85004b8a61e6<br><br>**Note:** (Block Web shell creation for Servers) | 1 (Block) |
 | 3b576869-a4ec-4529-8536-b80a7769e899<br><br>**Note:** (Block Office applications from creating executable content) | 1 (Block) |
 | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4<br><br>**Note:** (Block untrusted and unsigned processes that run from USB) | 1 (Block) |
 | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84<br><br>**Note:** (Block Office applications from injecting code into other processes) | 1 (Block) |

defender-endpoint/microsoft-defender-antivirus-compatibility.md

@@ -207,12 +207,13 @@ You can use one of several methods to confirm the state of Microsoft Defender An
 - [Use Windows PowerShell to confirm that antivirus protection is running](#use-windows-powershell-to-confirm-that-antivirus-protection-is-running).
 
 > [!IMPORTANT]
-> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it place Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
+> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
 > 
 > - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled.
 > - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
 > 
 > Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`.
+>Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is in block mode.
 
 ### Use the Windows Security app to identify your antivirus app