Merge branch 'main' into vivek-xdr-teams-policy

Author: vpattnai

defender-endpoint/TOC.yml

@@ -67,6 +67,8 @@
         href: evaluate-microsoft-defender-antivirus.md
       - name: Evaluate Microsoft Defender Antivirus using PowerShell
         href: microsoft-defender-antivirus-using-powershell.md
+      - name: Evaluate Microsoft Defender Antivirus using MDE Security Settings Management 
+        href: microsoft-defender-antivirus-using-mde-security-set-mngmnt.md  
       - name: Microsoft Defender for Endpoint demonstration scenarios
         href: defender-endpoint-demonstrations.md
       - name: App reputation demonstration

defender-endpoint/admin-submissions-mde.md

@@ -2,12 +2,12 @@
 title: Submit files in Microsoft Defender for Endpoint
 description: Learn how to use the unified submissions feature in Microsoft Defender XDR to submit suspicious emails, URLs, email attachments, and files to Microsoft for scanning.
 search.appverid: met150
-ms.date: 02/15/2024
+ms.date: 05/06/2024
 ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 manager: deniseb
-localization_priority: Normal
+ms.localizationpriority: medium
 audience: ITPro
 ms.topic: how-to
 ms.collection: 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -134,7 +134,7 @@ The following table lists the supported operating systems for rules that are cur
 | [Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | Y | Y | Y | Y | Y |
 | [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y | Y | Y | Y | Y |
 | [Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | Y | Y | Y | Y | Y |
-| [Block Webshell creation for Servers](#block-webshell-creation-for-servers)  | N | Y <br>Exchange Role Only | Y <br>Exchange Role Only | Y <br>Exchange Role Only | N |
+| [Block Webshell creation for Servers](#block-webshell-creation-for-servers)  | N | Y <br>Exchange Role Only | Y <br>Exchange Role Only | Y <br>Exchange Role Only | Y <br>Exchange Role Only |
 | [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | Y | N | N | N | N |
 | [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y <br> version 1803 or later <sup>[[3](#fn1)]</sup> | Y | Y | Y | Y |
 

defender-endpoint/auto-investigation-action-center.md

@@ -50,7 +50,7 @@ You can use the unified Action center if you have appropriate permissions and on
 
 - [Microsoft Defender XDR](/microsoft-365/security/mtp/microsoft-threat-protection)
 - [Defender for Endpoint](microsoft-defender-endpoint.md)
-- [Defender for Office 365]/defender-office-365/mdo-about
+- [Defender for Office 365](/defender-office-365/mdo-about)
 - [Defender for Business](/defender-business/mdb-overview)
 
 ## Using the Action center

defender-endpoint/comprehensive-guidance-on-linux-deployment.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 04/04/2024
+ms.date: 05/08/2024
 ---
 
 # Advanced deployment guidance for Microsoft Defender for Endpoint on Linux
@@ -39,7 +39,7 @@ To learn about other ways to deploy Microsoft Defender for Endpoint on Linux, se
 
 Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux deployment. The applicability of some steps is determined by the requirements of your Linux environment.
 
-1. [Work with your Firewall, Proxy, and Networking admin](#1-work-with-your-firewall-proxy-and-networking-admin).
+1. [Prepare your network environment](#1-prepare-your-network-environment).
 
 2. [Capture performance data from the endpoint](#2-capture-performance-data-from-the-endpoint).
 
@@ -86,39 +86,31 @@ Learn about the general guidance on a typical Microsoft Defender for Endpoint on
 
 22. [Uninstall your non-Microsoft solution](#22-uninstall-your-non-microsoft-solution).
 
-## 1. Work with your Firewall, Proxy, and Networking admin
+## 1. Prepare your network environment
 
-Work with your Firewall, Proxy, and Networking admin to add the Microsoft Defender for Endpoint URLs to the allowed list, and prevent it from being SSL inspected.
+Add the Microsoft Defender for Endpoint URLs and/or IP addresses to the allowed list, and prevent traffic from being SSL inspected.
 
-For more information, see, [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).
 
 ### Network connectivity of Microsoft Defender for Endpoint
 
 Use the following steps to check the network connectivity of Microsoft Defender for Endpoint:
 
-1. See [Allow URLs for the Microsoft Defender for Endpoint traffic](#step-1-allow-urls-for-the-microsoft-defender-for-endpoint-traffic) that are allowed for the Microsoft Defender for Endpoint traffic.
+1. See [Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic](#step-1-allow-destinations-for-the-microsoft-defender-for-endpoint-traffic) that are allowed for the Microsoft Defender for Endpoint traffic.
 
 2. If the Linux servers are behind a proxy, then set the proxy settings. For more information, see [Set up proxy settings](#step-2-set-up-proxy-settings).
 
 3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This is the most common network related issue when setting up Microsoft Defender Endpoint, see [Verify SSL inspection isn't being performed on the network traffic](#step-3-verify-ssl-inspection-isnt-being-performed-on-the-network-traffic).
 
 > [!NOTE]
-> It is generally recommended that traffic for Defender for Endpoint is not inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).
+> - It is generally recommended that traffic for Defender for Endpoint is not inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).
+> - To allow connectivity to the consolidated set of URLs or IP addresses, ensure your devices are running the latest component versions. See [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md) for more information.
 
-#### Step 1: Allow URLs for the Microsoft Defender for Endpoint traffic
+For more information see [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).
 
-1. Download the [Microsoft Defender for Endpoint URL list for commercial customers](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
-) or the [Microsoft Defender for Endpoint URL list for Gov/GCC/DoD](https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx) for a list of services and their associated URLs that your network must be able to connect.
+#### Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic
 
-2. Under **Geography** column, ensure the following checkboxes are selected:
-    - EU, or UK, or US
-    - WW
-    - (Blanks)
-
-    > [!NOTE]
-    > You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.
-
-3. Work with the Firewall/Proxy/Networking admins to allow the relevant URLs.
+1. Go to [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md) to find the relevant destinations that need to be accessible to devices inside your network environment
+2. Configure your Firewall/Proxy/Network to allow the relevant URLs and/or IP addresses
 
 #### Step 2: Set up proxy settings
 
@@ -521,17 +513,24 @@ For more information, see [New device health reporting for Microsoft Defender an
 
 To ensure that the device is correctly onboarded and reported to the service, run the following detection test:
 
-- Antimalware detections:
+- Open a Terminal window and execute the following command to run an antimalware detection test:
 
   ```bash
-  curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+  curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
   ```
+  
+- You can run additional detection tests on zip files using either of the following commands:
+
+  ```bash
+  curl -o /tmp/eicar_com.zip https://secure.eicar.org/eicar_com.zip
+  curl -o /tmp/eicarcom2.zip https://secure.eicar.org/eicarcom2.zip
+  ```
+
+   > [!NOTE]
+   > If the detections do not show up, it could be that you have set "allowedThreats" to allow in preferences via Ansible or Puppet.
 
-  If the detection doesn't show up, it could be that you have set "allowedThreats" to allow in preferences via Ansible or Puppet.
+- Endpoint detection and response (EDR) detections, see [Experience Microsoft Defender for Endpoint through simulated attacks](attack-simulations.md). If the detection doesn't show up, then it could be that we're missing event or alerts in portal. For more information, see [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](linux-support-events.md).
 
-- Endpoint detection and response (EDR) detections:
-  For more information, see [Experience Microsoft Defender for Endpoint through simulated attacks](attack-simulations.md).
-  If the detection doesn't show up, then it could be that we're missing event or alerts in portal. For more information, see [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](linux-support-events.md).
 - For more information about unified submissions in Microsoft Defender XDR and the ability to submit **False Positives** and **False Negatives** through the portal, see [Unified submissions in Microsoft Defender XDR now Generally Available! - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770).
 
 ## 20. Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux

defender-endpoint/configure-device-connectivity.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.reviewer: pahuijbr
 search.appverid: MET150
 audience: ITPro
-ms.date: 03/07/2024
+ms.date: 05/08/2024
 ---
 
 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
@@ -27,12 +27,7 @@ ms.date: 03/07/2024
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-[!Include[Prerelease information](../includes/prerelease.md)]
-
-> [!NOTE] 
->The streamlined onboarding method is currently in public preview. Make sure to review the prerequisites to confirm requirements and supported operating systems.
-
-The Microsoft Defender for Endpoint service may require the use of proxy configurations to report diagnostic data and communicate data to the service. Prior to the availability of the streamlined connectivity method, other URLs were required and Defender for Endpoint static IP ranges weren't supported. For more information on full MDE connectivity processes, see [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
+The Microsoft Defender for Endpoint service may require the use of proxy configurations to report diagnostic data and communicate data to the service. Prior to the availability of the streamlined connectivity method, other URLs were required and Defender for Endpoint static IP ranges weren't supported. For more information on preparing your environment, see [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
 
 This article describes the streamlined device connectivity method and how to onboard new devices to use a simpler deployment and management of Defender for Endpoint cloud connectivity services. For more information on migrating previously onboarded devices, see [Migrating devices to streamlined connectivity](migrate-devices-streamlined.md). 
 
@@ -48,19 +43,13 @@ The Defender for Endpoint-recognized simplified domain: `*.endpoint.security.mic
 
 To support network devices without hostname resolution or wildcard support, you can alternatively configure connectivity using dedicated Defender for Endpoint static IP ranges. For more information, see [Configure connectivity using static IP ranges](#option-2-configure-connectivity-using-static-ip-ranges).
 
-
 > [!NOTE] 
-> The simplified connectivity method will **not change how Microsoft Defender for Endpoint functions on a device nor will it change the end-user experience**. Only the URLs or IPs that a device uses to connect to the service will change. 
-
-> [!IMPORTANT]
-> Preview limitations and known issues: <br/>
-> - Streamlined connectivity does not support onboarding through API (includes Microsoft Defender for Cloud and Intune).
-> - This onboarding method has specific prerequisites that do not apply to the standard onboarding method.
+> - The simplified connectivity method will **not change how Microsoft Defender for Endpoint functions on a device nor will it change the end-user experience**. Only the URLs or IPs that a device uses to connect to the service will change.
+> - There currently is no plan to deprecate the old, consolidated service URLs. Devices onboarded with "standard" connectivity will continue to function. It is important to ensure connectivity to *.endpoint.security.microsoft.com is and remains possible, as future services will require it. This new URL is included in all required URL lists.
 
 ## Consolidated services 
 
-The following Defender for Endpoint URLs consolidated under the streamlined domain should no longer be required for connectivity if `*.endpoint.security.microsoft.com` is allowed and devices are onboarded using the streamlined onboarding package. You will need to maintain connectivity with other required services not consolidated that are relevant to your organization (for example, CRL, SmartScreen/Network Protection, and WNS).
-
+The following Defender for Endpoint URLs consolidated under the streamlined domain should no longer be required for connectivity if `*.endpoint.security.microsoft.com` is allowed and devices are onboarded using the streamlined onboarding package. You will need to maintain connectivity with other required services not consolidated that are relevant to your organization (for example, CRL, SmartScreen/Network Protection, and Windows Update).
 
 For the updated list of required URLs, see [Download the spreadsheet here](https://go.microsoft.com/fwlink/?linkid=2248278).
 
@@ -143,7 +132,7 @@ The following illustration shows the streamlined connectivity process and the co
 
 ### Stage 1. Configure your network environment for cloud connectivity 
 
-Once you confirm prerequisites are met, ensure your network environment is properly configured to support the streamlined connectivity method. Using the streamlined method (preview), follow the steps outlined in [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md). 
+Once you confirm prerequisites are met, ensure your network environment is properly configured to support the streamlined connectivity method. Follow the steps outlined in [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md). 
 
 Defender for Endpoint services consolidated under the simplified method should no longer be required for connectivity. However, some URLs aren't included in the consolidation. 
 
@@ -214,7 +203,7 @@ As a supplementary check, you can also use the client analyzer to test whether a
 
 ### Stage 4. Apply the new onboarding package required for streamlined connectivity
 
-Once you configure your network to communicate with the full list of services, you can begin onboarding devices using the streamlined method. Note that onboarding via API isn't currently supported (includes Intune & Microsoft Defender for Cloud).  
+Once you configure your network to communicate with the full list of services, you can begin onboarding devices using the streamlined method. 
 
 Before proceeding, confirm devices meet the [prerequisites](#prerequisites) and have updated the sensor and Microsoft Defender Antivirus versions. 
 
@@ -239,7 +228,7 @@ For migrating devices already onboarded to Defender for Endpoint, see [Migrating
 :::image type="content" source="media/migrate-devices-streamlined.png" alt-text="Screenshot of onboarding page with streamlined connectivity":::
 
 
-When you're ready to set the default onboarding package to streamlined, you can turn on the following Advanced Feature setting in the Microsoft Defender portal (**Settings > Endpoints > Advanced Features**).
+When you're ready to set the default onboarding package to streamlined, you can turn on the following Advanced Feature setting in the Microsoft Defender portal (**Settings > Endpoints > Advanced Features**). For onboarding through Intune & Microsoft Defender for Cloud, you will need to activate the relevant option. Devices already onboarded will not automatically re-onboard; you will need to create a new policy in Intune, where it is recommended to first assign the policy to a set of test devices to verify connectivity is successful, before expanding the audience. Devices in Defender for Cloud can be re-onboarded using the relevant onboarding script.
 
 > [!NOTE]
 > Before moving forward with this option, validate that your environment is ready and all devices meet prerequisites.