Merge pull request #1123 from MicrosoftDocs/main

Publish main to live 08/12/2024, 3:30 PM

Author: garycentric

defender-endpoint/configure-endpoints-mdm.md

@@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 03/28/2024
+ms.date: 08/12/2024
 ---
 
 # Onboard Windows devices to Defender for Endpoint using Intune 
@@ -65,31 +65,39 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
 
-1. Get the offboarding package from <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>:
+1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com) as follows:
 
-   2. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
+   1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.
 
-   3. Select Windows 10 or Windows 11 as the operating system.
+   2. Select **Windows 10 or Windows 11** as the operating system.
 
-   4. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
+   3. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
 
-   5. Click **Download package**, and save the .zip file.
+   4. Click **Download package**, and save the .zip file.
 
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named `WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding`.
 
-3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
+3. In Microsoft Intune admin center, create a custom configuration policy.
 
-   - OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
-   - Date type: String
-   - Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
+   1. In the navigation pane, select **Devices** \> **By platform** \> **Windows** \> **Manage Devices** \> **Configuration**.
+   2. Under **Policies** click **Create** \> **New Policy**.
+   3. In the **Create a profile** slide out, select **Windows 10 and later** as **Platform** and **Templates** as **Profile Type**.
+   4. Under **Template Name**, click the **Custom** template and click **Create**.
+   5. Enter a value for **Name** and click **Next**. 
+   6. Under **Configuration settings**, click **Add** and use the following OMA-URI settings.
+      - Name: Provide a name
+      - OMA-URI: `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding`
+      - Date type: String
+      - Value: *Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file*
+   7. Make the appropriate group assignments, applicability rules, and on the **Review + create** step, click the **Create** button to finish the policy.
 
 For more information on Microsoft Intune policy settings, see [Windows 10 policy settings in Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10).
 
 > [!NOTE]
 > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
 
 > [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the device to stop sending sensor data to Defender for Endpoint, but data from the device, including references to any alerts it has, is retained for up to 6 months.
 
 ## Related articles
 

defender-endpoint/data-storage-privacy.md

@@ -16,7 +16,7 @@ ms.collection:
 - essentials-compliance
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 05/14/2024
+ms.date: 08/12/2024
 ---
 
 # Microsoft Defender for Endpoint data storage and privacy
@@ -63,7 +63,7 @@ In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wi
 
 ## Data storage location
 
-Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, or Switzerland. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
+Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
 
 Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
 

defender-endpoint/mde-plugin-wsl.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 08/05/2024
+ms.date: 08/12/2024
 search.appverid: MET150
 ---
 
@@ -145,28 +145,12 @@ For example, if your host machine has both `Winhttp proxy` and `Network & Intern
 
 ## Connectivity test for Defender running in WSL
 
-The following procedure describes how to confirm that Defender in Endpoint in WSL has internet connectivity.
+The defender connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
 
-1. Open Registry Editor as an administrator.
-
-2. Create a registry key with the following details:
-
-   - **Name**: `ConnectivityTest`
-   - **Type**: `REG_DWORD`
-   - **Value**: `Number of seconds plug-in must wait before running the test. (Recommended: 60 seconds)`
-   - **Path**:  `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
-
-3. Once the registry is set, restart wsl using the following steps:
-
-   1. Open Command Prompt and run the command, `wsl --shutdown`.
-
-   2. Run the command `wsl`.
-
-4. Wait for five minutes, and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test).
-
-   If successful, you can see that the connectivity test was successful. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from WSL to Defender for Endpoint service URLs is failing.
+On starting your wsl machine, wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test). If successful, you can see that the connectivity test was a success. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from MDE plug-in for WSL to Defender for Endpoint service URLs is failing.
 
 > [!NOTE]
+> The `ConnectivityTest` registry key is no longer supported.
 > To set a proxy for use in WSL containers (the distributions running on the subsystem), see [Advanced settings configuration in WSL](/windows/wsl/wsl-config).
 
 ## Verifying functionality and SOC analyst experience
@@ -187,6 +171,31 @@ After installing the plug-in, the subsystem and all its running containers are o
 
 The timeline is populated, similar to Defender for Endpoint on Linux, with events from inside the subsystem (file, process, network). You can observe activity and detections in the timeline view. Alerts and incidents are generated as appropriate as well.
 
+## Setting up custom tag for your WSL machine
+
+The plug-in onboards the WSL machine with the tag `WSL2`. Should you or your organization need a custom tag, please follow the steps outlined below:
+
+1. Open Registry Editor as an administrator
+
+2. Create a registry key with the following details:
+
+   - Name: `GROUP`
+   - Type: `REG_SZ` or registry string
+   - Value: `Custom tag`
+   - Path: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging`
+
+3. Once the registry is set, restart wsl using the following steps:
+
+    1. Open Command Prompt and run the command, `wsl --shutdown`.
+
+    2. Run the `wsl` command.
+
+4. Wait for 5-10 minutes for the portal to reflect the changes. 
+
+> [!NOTE]
+> The custom tag set in registry will be followed by a `_WSL2`.
+> For example, if the registry value set is `Microsoft`, then the custom tag will be `Microsoft_WSL2` and the same will be visible in the portal.
+
 ### Test the plug-in
 
 To test the plug-in after installation, follow these steps:
@@ -371,8 +380,6 @@ DeviceProcessEvents
 
    1. In Control Panel, go to **Programs** > **Programs and Features**.
 
-   2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**.
-
-   This should fix the problem by placing the right files in the expected directories.
+   2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
 
    :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 08/08/2024
+ms.date: 08/12/2024
 audience: ITPro
 ms.topic: reference
 author: siosulli
@@ -212,12 +212,12 @@ Updates are released for x86, x64, and ARM64 Windows architecture.
 
 For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
 
-After a new package version is released, support for the previous two versions is reduced to technical support only.
+After a new package version is released, support for the previous two versions is reduced to technical support only. To view a list of previous versions, see [Previous DISM updates (no longer supported)](msda-updates-previous-versions-technical-upgrade-support.md#previous-dism-updates-no-longer-supported).
 
-### 1.415.235.0
+### 1.415.295.0
 
-- Defender package version: `1.415.235.0`
-- Security intelligence version: `1.415.235.0`
+- Defender package version: `1.415.295.0`
+- Security intelligence version: `1.415.295.0`
 - Engine version: `1.24070.1`
 - Platform version: `4.18.24070.5`
 
@@ -229,12 +229,12 @@ After a new package version is released, support for the previous two versions i
 
 - None
 
-### 1.411.111.0
+### 1.415.235.0
 
-- Defender package version: `1.411.111.0`
-- Security intelligence version: `1.411.111.0`
-- Engine version: `1.24050.2`
-- Platform version: `4.18.24050.7`
+- Defender package version: `1.415.235.0`
+- Security intelligence version: `1.415.235.0`
+- Engine version: `1.24070.1`
+- Platform version: `4.18.24070.5`
 
 #### Fixes
 
@@ -244,12 +244,12 @@ After a new package version is released, support for the previous two versions i
 
 - None
 
-### 1.411.9.0
+### 1.411.111.0
 
-- Defender package version: `1.411.9.0`
-- Security intelligence version: `1.411.9.0`
-- Engine version: `1.24040.1`
-- Platform version: `4.18.24040.4`
+- Defender package version: `1.411.111.0`
+- Security intelligence version: `1.411.111.0`
+- Engine version: `1.24050.2`
+- Platform version: `4.18.24050.7`
 
 #### Fixes
 

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -6,7 +6,7 @@ ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 08/07/2024
+ms.date: 08/12/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -1100,12 +1100,27 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 #### Known issues
 
-- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.
+- When this update is installed, the device needs the jump package `4.18.2001.10` to be able to update to the latest platform version.
 
 ## Previous DISM updates (no longer supported)
 
 The versions listed in this section are no longer supported. To view current versions, see [Updates for Deployment Image Servicing and Management (DISM)](microsoft-defender-antivirus-updates.md#updates-for-deployment-image-servicing-and-management-dism).
 
+### 1.411.9.0
+
+- Defender package version: `1.411.9.0`
+- Security intelligence version: `1.411.9.0`
+- Engine version: `1.24040.1`
+- Platform version: `4.18.24040.4`
+
+#### Fixes
+
+- None
+
+#### Additional information
+
+- None
+
 ### 20230809.1
 
 - Defender package version: `20230809.1`

defender-endpoint/switch-to-mde-phase-3.md

@@ -17,7 +17,7 @@ ms.custom:
 - migrationguides
 - admindeeplinkDEFENDER
 ms.topic: how-to
-ms.date: 10/24/2023
+ms.date: 08/12/2024
 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho, yongrhee
 search.appverid: met150
 ---
@@ -77,12 +77,14 @@ Deployment methods vary, depending on operating system and preferred methods. Th
 
 ## Step 2: Run a detection test
 
+<!---Add this back later when the link works: Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>.---> 
+
 To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
 
 |Operating system|Guidance|
 |---|---|
 |Windows 10 or later<br/><br/>Windows Server 2022<br/><br/>Windows Server 2019<br/><br/>Windows Server, version 1803, or later<br/><br/>Windows Server 2016<br/><br/>Windows Server 2012 R2|See [Run a detection test](run-detection-test.md).|
-|macOS (see [System requirements](microsoft-defender-endpoint-mac.md)|Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>. <br/><br/> For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md).|
+|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))| See [Run the connectivity test](troubleshoot-cloud-connect-mdemac.md#run-the-connectivity-test).|
 |Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements))|1. Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.<br/><br/>2. Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.<br/><br/>3. Run the following command to list any detected threats: `mdatp threat list`.<br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).|
 
 ## Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints

defender-office-365/mail-flow-about.md

@@ -58,7 +58,7 @@ To verify that EOP mail flow is working correctly, use the following tests:
 
 ## Support for anonymous inbound email over IPv6
 
-EOP supports receiving anonymous inbound email over IPv6, but an admin is required to opt in by contacting Microsoft support. To open a support request, see [Get support for Microsoft 365 for business](/microsoft-365/admin/get-help-support).
+EOP supports receiving anonymous inbound email over IPv6; we are rolling out IPv6 by default to all Exchange Online customers by end of Q1CY25. If you need to enable inbound IPv6 for your Accepted Domains before then, an admin is required to opt in by contacting Microsoft support. To open a support request, see [Get support for Microsoft 365 for business](/microsoft-365/admin/get-help-support).
 
 After the organization has opted in, the organization can receive anonymous inbound email over IPv6 as long as the source IPv6 email server meets both of the following requirements:
 

defender-xdr/data-privacy.md

@@ -19,7 +19,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 05/14/2024
+ms.date: 08/12/2024
 ---
 
 # Microsoft Defender XDR data security and privacy
@@ -30,7 +30,7 @@ ms.date: 05/14/2024
 **Applies to:**
 - Microsoft Defender XDR
 
-Microsoft Defender XDR operates in Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, and Switzerland. Customer data collected by the service is stored at rest in (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Microsoft Defender XDR to process such data.
+Microsoft Defender XDR operates in Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, and India. Customer data collected by the service is stored at rest in (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Microsoft Defender XDR to process such data.
 
 Customer data in pseudonymized form might also be stored in central storage and processing systems in the United States.