Merge branch 'main' into docs-editor/fixed-reported-inaccuracies-1744100267

Author: denisebmsft

defender-endpoint/defender-antivirus-compatibility-without-mde.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.topic: conceptual
-ms.date: 01/23/2025
+ms.date: 04/09/2025
 ms.subservice: ngp
 search.appverid: met150
 ms.localizationpriority: medium
@@ -84,7 +84,7 @@ Uninstall-WindowsFeature Windows-Defender-Gui
 
 **Q:** Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint?
 
-**A:** No. Passive mode is a functionality in Microsoft Defender for Endpoint Plan 2.
+**A:** No. Passive mode is a functionality in Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business.
 
 **Q:** Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Microsoft Defender for Endpoint?
 

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -98,17 +98,24 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
-### March-2025 (Engine 1.1.25030.1)
+### March-2025 (Platform: 4.18.25030.2 | Engine 1.1.25030.1)
 
 - Security intelligence update version: **1.427.3.0**
-- Release date: **April 1, 2025** (Engine only)
-- Platform: **4.18.25020.1009**
+- Release date: **April 1, 2025** (Engine) / **April 9, 2025** (Platform)
+- Platform: **4.18.25030.2**
 - Engine: **1.1.25030.1**
 - Support phase: **Security and Critical Updates**
 
 #### What's new
 
-- Product improvements
+- Improved caching of [device control settings](device-control-policies.md) to improve reliability in occasionally connected environments. 
+- Performance improvement in on-access scans of files in network locations.
+- Fixed the Defender service description to match the latest installed version.
+- Improved Defender engine update logic when the update is included in a custom image.
+- Fix in health reporting where signature update data might have been incorrect.
+- Fixed reporting issue with [controlled folder access](controlled-folders.md) (CFA) protected folders using the PowerShell cmdlet [Get-MpPreference](/powershell/module/defender/get-mppreference) when CFA is disabled.
+- Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
+- Added support for distinguishing regular cloud allow signatures from clean [Indicators of Compromise](indicators-overview.md) (IoC) in [attack surface reduction](attack-surface-reduction.md) (ASR).
 
 ### February-2025 (Platform 4.18.25020.1009 | Engine: 1.1.25020.1007)
 
@@ -155,31 +162,6 @@ Updates contain:
 - Improved device control policy enforcement in offline environments.
 - Fixed issue in the `WDNisDrv.sys` driver that caused system hangs during shutdown.
 
-### September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)
-
-- Security intelligence update version: **1.421.12.0**
-- Release date: **October 30, 2024** (Engine and Platform)
-- Platform: **4.18.24090.11**
-- Engine: **1.1.24090.11**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Improved detection logic to reduce false positives related to the Azure Site Recovery rule, [Block Office applications from injecting code into other processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-injecting-code-into-other-processes)
-- Resolved an issue that could lead to a Windows device to be marked as [noncompliant in Intune](/mem/intune/fundamentals/reports#device-compliance-reports) when Microsoft Defender Antivirus starts.
-- Resolved an issue with catchup scan configuration, where the [DaysUntilAggressiveCatchupQuickScan](/windows/client-management/mdm/defender-csp#configurationdaysuntilaggressivecatchupquickscan) policy setting wasn't honored.
-- Fixed `SharedSignatureRoot` processing when an empty value was set.
-- Fixed a problem with [device control](device-control-overview.md) where certain file systems (like `FAT`, `FAT32`, `exFAT`) with volume information displayed when a blocking rule was defined.
-- Improved performance in specific scenarios where network files were accessed.
-- Fixed an issue with [Azure Virtual Desktop](/azure/virtual-desktop/overview) where the Intune policy wasn't being honored.
-- Fixed potential deadlock for [custom detection rules](/defender-xdr/custom-detection-rules) on the Windows client
-- Resolved an issue where [antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md) weren't being honored with [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal).
-- Fixed issue impacting a subset of devices where [antivirus exclusions configured through SCCM](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) weren't honored
-
-> [!IMPORTANT]
-> On Windows Server 2019 and later, a new binary (`MpDefenderCoreService.exe`) will be included in the update package to support future service improvements (more information to follow).
-
-
 ### Previous version updates: Technical upgrade support only
 
 After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 04/01/2025
+ms.date: 04/07/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,30 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)
+
+- Security intelligence update version: **1.421.12.0**
+- Release date: **October 30, 2024** (Engine and Platform)
+- Platform: **4.18.24090.11**
+- Engine: **1.1.24090.11**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Improved detection logic to reduce false positives related to the Azure Site Recovery rule, [Block Office applications from injecting code into other processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-injecting-code-into-other-processes)
+- Resolved an issue that could lead to a Windows device to be marked as [noncompliant in Intune](/mem/intune/fundamentals/reports#device-compliance-reports) when Microsoft Defender Antivirus starts.
+- Resolved an issue with catchup scan configuration, where the [DaysUntilAggressiveCatchupQuickScan](/windows/client-management/mdm/defender-csp#configurationdaysuntilaggressivecatchupquickscan) policy setting wasn't honored.
+- Fixed `SharedSignatureRoot` processing when an empty value was set.
+- Fixed a problem with [device control](device-control-overview.md) where certain file systems (like `FAT`, `FAT32`, `exFAT`) with volume information displayed when a blocking rule was defined.
+- Improved performance in specific scenarios where network files were accessed.
+- Fixed an issue with [Azure Virtual Desktop](/azure/virtual-desktop/overview) where the Intune policy wasn't being honored.
+- Fixed potential deadlock for [custom detection rules](/defender-xdr/custom-detection-rules) on the Windows client
+- Resolved an issue where [antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md) weren't being honored with [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal).
+- Fixed issue impacting a subset of devices where [antivirus exclusions configured through SCCM](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) weren't honored
+
+> [!IMPORTANT]
+> On Windows Server 2019 and later, a new binary (`MpDefenderCoreService.exe`) will be included in the update package to support future service improvements (more information to follow).
+
 ### August-2024 (Platform: 4.18.24080.9 | Engine: 1.1.24080.9)
 
 - Security intelligence update version: **1.419.1.0**

defender-xdr/get-started-xdr.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 03/05/2025
+ms.date: 04/10/2025
 ---
 
 # Get started with Microsoft Defender Experts for XDR
@@ -99,7 +99,7 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
 :::image type="content" source="media/exclude-user-groups.png" alt-text="Screenshot to exclude user groups in Defender Experts for XDR." lightbox="media/exclude-user-groups.png":::
 
 > [!NOTE]
-> You can only exclude users by adding them to an Microsoft Entra ID security group. On-prem Entra ID users cannot be excluded at this time.
+> You can only exclude users by adding them to a Microsoft Entra ID security group. On-prem Entra ID users cannot be excluded at this time.
 
 To edit or update exclusions after the initial setup, go to **Settings** > **Defender Experts** > **Exclusions**, then go to the **Device groups** or **User groups** tab.
 
@@ -162,13 +162,15 @@ Apart from email and [in-portal chat](communicate-defender-experts-xdr.md#in-por
 
 **To turn on Teams notifications and chat:**
 
-1. In the same Defender Experts settings setup, under **Teams**, select the **Communicate on Teams** checkbox.  
+1. In the same Defender Experts settings setup, under **Teams**, select the **Communicate on Teams** checkbox. This creates a private team **Defender Experts team** with a **Managed Response** channel in it. The page then updates to show a **Open Teams channel** link.
 
-2. Select **Next** to review your settings.
+2. Add your SOC team members to the channel created, by navigating to **Microsoft Teams** > **Defender Experts team** > **More options (...)** > **Manage team** > **Add member**.
 
-3. Select **Submit**. The step-by-step guide then completes the initial setup.
+3. Select **Next** to review your settings.
 
-4. Select **View readiness assessment** to complete the necessary actions required to [optimize your security posture](#prepare-your-environment-for-the-defender-experts-service).
+4. Select **Submit**. The step-by-step guide then completes the initial setup.
+
+5. Select **View readiness assessment** to complete the necessary actions required to [optimize your security posture](#prepare-your-environment-for-the-defender-experts-service).
 
 > [!NOTE]
 > To set up the Defender Experts Teams application, you must have either the **Global administrator** or **Security administrator** role assigned, and a Microsoft Teams license.
@@ -177,8 +179,6 @@ To turn on Teams notifications and chat after the initial setup, go to **Setting
 
 :::image type="content" source="/defender/media/xdr/Teams-managed-response.png" alt-text="Screenshot of option to activate Teams for receiving managed response." lightbox="/defender/media/xdr/Teams-managed-response.png":::
 
-- You can add new members to the channel by navigating to **Defender Experts team** \> **More options (...)** >  **Manage team** > **Add member**.
-- You can limit who can join this team by navigating to **Defender Experts team** > **More options (...)** > **Settings** > **Edit** > **Manage team** > **Private**.
 
 ## Prepare your environment for the Defender Experts service