Merge branch 'main' into poliveria-threat-analytics-07242024

Author: poliveria

defender-endpoint/android-configure.md

@@ -61,36 +61,32 @@ Network protection in Microsoft Defender for endpoint is disabled by default. Ad
 
 1. In the Microsoft Intune admin center, navigate to Apps > App configuration policies. Create a new App configuration policy.
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of how to create a policy.](media/android-mem.png)
-
+> [!div class="mx-imgBorder"]
 1. Provide a name and description to uniquely identify the policy. Select **'Android Enterprise'** as the platform and **'Personally-owned work profile only'** as the profile type and **'Microsoft Defender'** as the Targeted app.
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of policy details.](media/appconfigdetails.png)
-
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of policy details.](media/appconfigdetails.png)
+   
 1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'1'** to enable Network Protection. (Network protection is disabled by default)
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of how to select enable network protection policy](media/selectnp.png)
-
-    > [!div class="mx-imgBorder"]
-    > ![Image of add configuration policy.](media/npvalue.png)
-
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of how to select enable network protection policy](media/selectnp.png)
+   
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of add configuration policy.](media/npvalue.png)
+   
 1. If your organization uses root CAs that are private, you must establish explicit trust between Intune (MDM solution) and user devices. Establishing trust helps prevent Defender from flagging root CAs as rogue certificates.
 
     To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.
 
     **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`
 
-   > [!IMPORTANT]
+      > [!IMPORTANT]
    > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.
    >
    > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`
 
-   Any other separation characters are invalid.
-
-   > ![Image of trusted CA certificate.](media/trustca.png)
+      Any other separation characters are invalid.
 
 1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.
 
@@ -119,26 +115,6 @@ Network protection in Microsoft Defender for endpoint is disabled by default. Ad
 
 > [!NOTE]
 > Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WIFI-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.
-
-## Configure Low Touch Onboarding
-
-Admins can configure Microsoft Defender for Endpoint in low touch onboarding mode. In this scenario, administrators creates a deployment profile and the user is simply required to provide a reduced set of permissions to complete onboarding. 
-
-Android low touch onboarding is disabled by default. Admins can enable it through app configuration policies on Intune by following these steps:
-
-1.	Push the Defender app to target user group by following these [steps](android-intune.md#add-microsoft-defender-for-endpoint-on-android-as-a-managed-google-play-app).
-2.	Push a VPN profile to the user's device by following the instructions [here](android-intune.md#auto-setup-of-always-on-vpn).
-3.	In Apps > Application configuration policies, select Managed Devices.
-4.	Provide a name to uniquely identify the policy. Select 'Android Enterprise' as the Platform, the required Profile type and 'Microsoft Defender: Antivirus' as the targeted app. Click on Next.
-5.	Add runtime permissions. Select Location access (fine)(This permission is not supported for Android 13 and above), POST_NOTIFICATIONS and change the Permission state to 'Auto grant'.
-6.	Under configuration settings, select 'Use Configuration designer' and click on Add.
-7.	Select Low touch onboarding and User UPN. For User UPN, change the Value type to 'Variable' and Configuration value to 'User Principal Name' from the drop down Enable Low touch onboarding by changing the configuration value to 1.
-    >[!div class="mx-imgBorder"]
-    >![Image of low touch onboarding configuration policy.](media/low-touch-user-upn.png)
-
-8.	Assign the policy to the target user group.
-9.	Review and create the policy.
-
 ## Privacy Controls
 
 Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices:
@@ -347,11 +323,11 @@ Use the following steps to configure the Device tags:
 5. Click Next and assign this policy to targeted devices and users.
 
 
-> [!NOTE] 
+> [!NOTE]
 > The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal.
-
 ## Related articles
 
 - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md)
+
 - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/api/get-all-vulnerabilities.md

@@ -94,21 +94,22 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
     "value": [
         {
-            "id": "CVE-2019-0608",
-            "name": "CVE-2019-0608",
-            "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
-            "severity": "Medium",
-            "cvssV3": 4.3,
+            "id": "CVE-2024-7256",
+            "name": "CVE-2024-7256",
+            "description": "Summary: Google Chrome is vulnerable to a security bypass due to insufficient data validation in Dawn. An attacker can exploit this vulnerability by tricking a user into visiting a malicious website, allowing them to bypass security restrictions. Impact: If successfully exploited, this vulnerability could allow a remote attacker to bypass security restrictions in Google Chrome. Remediation: Apply the latest patches and updates provided by the respective vendors. Generated by AI",
+            "severity": "High",
+            "cvssV3": 8,
             "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
-            "exposedMachines": 4,
-            "publishedOn": "2019-10-08T00:00:00Z",
-            "updatedOn": "2019-12-16T16:20:00Z",
+            "exposedMachines": 23,
+            "publishedOn": "2024-07-30T00:00:00Z",
+            "updatedOn": "2024-07-31T00:00:00Z",
+            "firstDetected": "2024-07-31T01:55:47Z",
             "publicExploit": false,
             "exploitVerified": false,
             "exploitInKit": false,
             "exploitTypes": [],
             "exploitUris": [],
-            "CveSupportability": "supported",
+            "cveSupportability": "Supported",
             "tags": [],
             "epss": 0.632
         }

defender-endpoint/edr-detection.md

@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/06/2024
+ms.date: 08/15/2024
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -76,7 +76,6 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
 3. Look at the alert details, machine timeline, and perform your typical investigation steps.
 
-<!---
 ### macOS
 
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
@@ -129,7 +128,6 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
     Look at the alert details and the device timeline, and perform the regular investigation steps.
 
---->
 
 ## Next steps
 

defender-endpoint/mac-preferences.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/29/2024
+ms.date: 08/15/2024
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS
@@ -681,7 +681,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
         <key>PayloadOrganization</key>
         <string>Microsoft</string>
         <key>PayloadIdentifier</key>
-        <string>com.microsoft.wdav</string>
+        <string>
         <key>PayloadDisplayName</key>
         <string>Microsoft Defender for Endpoint settings</string>
         <key>PayloadDescription</key>
@@ -704,7 +704,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
                 <key>PayloadOrganization</key>
                 <string>Microsoft</string>
                 <key>PayloadIdentifier</key>
-                <string>com.microsoft.wdav</string>
+                <string>
                 <key>PayloadDisplayName</key>
                 <string>Microsoft Defender for Endpoint configuration settings</string>
                 <key>PayloadDescription</key>

defender-endpoint/manage-tamper-protection-intune.md

@@ -5,7 +5,7 @@ manager: deniseb
 description: Turn tamper protection on or off for your organization in Microsoft Intune.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 07/25/2024
+ms.date: 08/15/2024
 audience: ITPro
 ms.topic: how-to
 author: siosulli
@@ -43,8 +43,11 @@ Tamper protection helps protect certain [security settings](prevent-changes-to-s
 > If you're using Microsoft Intune to manage Defender for Endpoint settings, make sure to set [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp#configurationdisablelocaladminmerge) to true on devices.
 >
 > When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) cannot be changed. To avoid breaking management experiences, including Intune (and [Configuration Manager](manage-tamper-protection-configuration-manager.md)), keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available: 
+>
 > - If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](enable-troubleshooting-mode.md) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
+>
 > - You can use Intune or [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. 
+>
 > - If you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](#tamper-protection-for-antivirus-exclusions).
 
 ## Requirements for managing tamper protection in Intune
@@ -68,7 +71,7 @@ Tamper protection helps protect certain [security settings](prevent-changes-to-s
 
 :::image type="content" source="media/turnontamperprotectinmem.png" alt-text="Turn tamper protection turned on with Intune" lightbox="media/turnontamperprotectinmem.png":::
 
-1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
 
    - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.
    - In the **Profile** list, select **Windows Security experience**.
@@ -88,12 +91,14 @@ If your organization has [exclusions defined for Microsoft Defender Antivirus](c
 | Condition | Criteria |
 |---|---|
 | Microsoft Defender platform | Devices are running Microsoft Defender platform `4.18.2211.5` or later. For more information, see [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions). |
-| `DisableLocalAdminMerge` setting | This setting is also known as preventing local list merging. `DisableLocalAdminMerge` is enabled so that settings configured on a device aren't merged with organization policies, such as settings in Intune. For more information, see [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp). |
+| `DisableLocalAdminMerge` setting | This setting is also known as preventing local list merging. `DisableLocalAdminMerge` must be enabled so that settings configured on a device aren't merged with organization policies, such as settings in Intune. For more information, see [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp). |
 | Device management | Devices are either managed in Intune only, or are managed with Configuration Manager only. Sense must be enabled. |
-| Antivirus exclusions | Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. For more information, see [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows). <br/><br/>Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices. For more information, see [How to determine whether antivirus exclusions are tamper protected on a Windows device](#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device). |
+| Antivirus exclusions | Microsoft Defender Antivirus exclusions are managed in Microsoft Intune or Configuration Manager. For more information, see [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows). <br/><br/>Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices. For more information, see [How to determine whether antivirus exclusions are tamper protected on a Windows device](#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device). |
+
+> [!NOTE]
+> For example, when Configuration Manager is used solely to manage exclusions and the required conditions are met, exclusions from Configuration Manager are tamper protected. In this case, there is no need to push antivirus exclusions using Microsoft Intune.
 
-> [!TIP]
-> For more detailed information about Microsoft Defender Antivirus exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
+For more detailed information about Microsoft Defender Antivirus exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
 
 ## How to determine whether antivirus exclusions are tamper protected on a Windows device
 

defender-endpoint/switch-to-mde-phase-3.md

@@ -17,7 +17,7 @@ ms.custom:
 - migrationguides
 - admindeeplinkDEFENDER
 ms.topic: how-to
-ms.date: 08/12/2024
+ms.date: 08/15/2024
 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho, yongrhee
 search.appverid: met150
 ---
@@ -77,14 +77,12 @@ Deployment methods vary, depending on operating system and preferred methods. Th
 
 ## Step 2: Run a detection test
 
-<!---Add this back later when the link works: Download and use the DIY app at <https://aka.ms/mdatpmacosdiy>.---> 
-
 To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
 
 |Operating system|Guidance|
 |---|---|
 |Windows 10 or later<br/><br/>Windows Server 2022<br/><br/>Windows Server 2019<br/><br/>Windows Server, version 1803, or later<br/><br/>Windows Server 2016<br/><br/>Windows Server 2012 R2|See [Run a detection test](run-detection-test.md).|
-|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))| See [Run the connectivity test](troubleshoot-cloud-connect-mdemac.md#run-the-connectivity-test).|
+|macOS (see [System requirements](microsoft-defender-endpoint-mac.md))| Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). Also see [Run the connectivity test](troubleshoot-cloud-connect-mdemac.md#run-the-connectivity-test).|
 |Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements))|1. Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.<br/><br/>2. Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.<br/><br/>3. Run the following command to list any detected threats: `mdatp threat list`.<br/><br/>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).|
 
 ## Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints

defender-endpoint/web-content-filtering.md

@@ -6,7 +6,7 @@ ms.author: siosulli
 author: siosulli
 ms.reviewer: tdoucett
 ms.localizationpriority: medium
-ms.date: 02/02/2024
+ms.date: 08/15/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,7 +43,7 @@ Configure policies across your device groups to block certain categories. Blocki
 Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and network protection (Chrome, Firefox, Brave, and Opera). For more information about browser support, see the [prerequisites](#prerequisites) section.
 
 > [!NOTE]
-> Web content filtering does not apply policies to isolated browser sessions (i.e. Microsoft Defender Application Guard). The feature is also restricted to specific browsers via process name. This means that web content filtering doesn't work when there is a local proxy application in place (such as Fiddler, ZScaler), due to the process name being masked.
+> Web content filtering does not apply policies to isolated browser sessions (i.e. Microsoft Defender Application Guard). The feature is also restricted to specific browsers via process name. This means that web content filtering doesn't work when there is a local proxy application in place (such as Fiddler), due to the process name being masked.
 
 ## Benefits of web content filtering