Merge branch 'main' into poliveria-analyst-report-09042024

Author: poliveria

defender-endpoint/TOC.yml

@@ -1,10 +1,10 @@
 ---
 title: Device control policies in Microsoft Defender for Endpoint
 description: Learn about Device control policies in Defender for Endpoint
-author: siosulli
-ms.author: siosulli
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
-ms.date: 09/13/2024
+ms.date: 09/18/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -73,7 +73,7 @@ Device control policies can be applied to users and/or user groups.
 > [!NOTE]
 > In the articles related to device control, groups of users are referred to as <i>user groups</i>.  The term <i>groups</i> refer to [groups](#groups) defined in the device control policy.
 
- Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id.
+Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id.
 
 On Windows, a user or user group can be a condition on an [entry](#entries) in a policy.
 
@@ -198,15 +198,29 @@ Device control policies define access (called an entry) for a set of devices. En
 | Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny |
 | Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> |
 
-If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.
+### Entry evaluation
+
+There are two types of entries: enforcement entries (Allow/Deny) and audit entries (AuditAllow/AuditDeny).  
+
+Enforcement entries for a rule are evaluated in order until all of the requested permissions have been matched.  If no entries match a rule, then the next rule is evaluated.  If no rules match, then the default is applied.
+
+### Audit entries
+
+Audit events control the behavior when device control enforces a rule (allow/deny). Device control can display a notification to the end-user. The user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.  
+
+Device control can also create an event that is available in Advanced Hunting.
+
+> [!IMPORTANT]
+> There is a limit of 300 events per device per day. Audit entries are processed after the enforcement decision has been made.  All corresponding audit entries are evaluated.
+
+### Conditions
 
 An entry supports the following optional conditions:
 
 - User/User Group Condition: Applies the action only to the user/user group identified by the SID
 
 > [!NOTE]
-> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition.  For user groups and users that are stored localy, use the Security Identifier (SID)
-
+> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition.  For user groups and users that are stored locally, use the Security Identifier (SID)
 > [!NOTE]
 > On Windows, The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`.
 

defender-endpoint/device-control-policies.md

@@ -1,12 +1,13 @@
 ---
 title: Hardware acceleration and Microsoft Defender Antivirus.
 description: How Microsoft Defender Antivirus incorporates hardware acceleration and Microsoft Defender Antivirus.
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
+ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 02/26/2024
+ms.date: 09/18/2024
 ms.subservice: ngp
 ms.localizationpriority: medium
 ms.custom: partner-contribution
@@ -19,10 +20,6 @@ audience: ITPro
 
 **Applies to:**
 
-- [Microsoft Defender XDR](/defender-xdr)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - Microsoft Defender Antivirus
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 

defender-endpoint/hardware-acceleration-and-mdav.md

@@ -0,0 +1,83 @@
+---
+title: Use safe deployment practices to safeguard your environment
+description: Plan, implement, adopt, and manage safe deployment practices to safeguard and manage your environment
+keywords: mde safe deployment practices
+author: siosulli
+ms.author: siosulli
+manager: deniseb
+ms.date: 09/16/2024
+ms.topic: conceptual
+ms.service: defender-endpoint
+ms.subservice: ngp
+ms.localizationpriority: high
+ms.custom: get-started
+ms.collection:
+- tier1
+- highpri
+---
+
+# Use safe deployment practices to safeguard and manage your environment
+
+Microsoft follows safe deployment practices (SDP) to minimize the risk of security updates having an unexpected impact. This article describes Microsoft Defender for Endpoint’s approach to SDP and what customers can do to manage their own roll-out processes to add an extra layer of control.
+
+Microsoft Defender for Endpoint ships updates externally only after all the certification and validation tests are completed across multiple iterations of internal devices. 
+
+Defender for Endpoint applies SDP to two distinct update mechanisms:
+
+- Software and driver updates that are updated monthly (can potentially update kernel-mode components).
+- Security intelligence and detection logic updates that can be updated multiple times a day (updates only apply to user-mode components).
+
+## Monthly SDP software and driver updates
+
+Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs. 
+
+Defender for Endpoint’s kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
+
+The process for rolling out software and driver updates for Defender for Endpoint is shown in this image:
+
+:::image type="content" alt-text="process for rolling out software and driver updates for Defender for Endpoint" source="/defender/media/defender-endpoint/mde-software-driver-updates.png" lightbox="/defender/media/defender-endpoint/mde-software-driver-updates.png":::
+
+### Microsoft SDP for monthly updates
+
+All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft’s hundreds of thousands of employees and millions of internal devices. This helps ensure Microsoft discovers and addresses issues first, before customers.
+ 
+Within each ring, Microsoft closely monitors quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices.
+ 
+Once internal testing is successfully completed, Microsoft then releases the updates externally in a staggered manner to ensure stability. During this time, Microsoft continuously monitors the rollout to ensure a quick response and remote resolution of any issues by reverting or reissuing update packages.
+
+### Customer SDP for monthly updates 
+
+In addition to Microsoft’s safe deployment practices, organizations can also manage monthly updates with their own safe deployment practices through various controls:
+
+- [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md) to control the delivery of agent updates to their devices. Customers can control the rings that are assigned to their device group and when each ring receives updates. For example, place lower-valued assets in earlier rings and higher-valued assets in later rings.
+- Apply patch management software and practices for security component updates that can also arrive in the form of monthly Latest Cumulative Updates (LCUs).
+- Use [rollback controls](microsoft-defender-antivirus-updates.md#how-to-roll-back-an-update) or automated rollback options to revert or reset components to a last known good state. 
+
+> [!NOTE]
+> Caution is advised when rolling back an update across a large group of devices.
+
+## Daily SDP security intelligence and detection logic updates
+
+Microsoft releases security intelligence updates that once installed on devices supplement the real-time local and cloud-based machine learning models, behavior analysis, and heuristics that enable Defender for Endpoint to neutralize the latest known cyberthreats.
+
+Given the high frequency at which these updates need to be delivered to protect customers, it’s not possible to deploy them through the same deployment process. Therefore, Defender for Endpoint doesn't include kernel changes in intelligence updates. Instead, daily updates are only delivered to components that run in the user mode of the operating system. This approach helps mitigate the risk of these more frequent updates from impacting the broader operating system and, in the unlikely event of an error, limits the risk of significant negative effects like system crashes and ensures devices can be automatically recovered.
+
+### Microsoft SDP for daily updates 
+
+Similar to the process for software and driver updates, Microsoft ships security intelligence updates after extensive testing and rolls them out starting with internal devices, early access customers, and then releases them externally in a controlled, gradual manner. Microsoft continually monitors telemetry and can mitigate issues through the cloud in minutes.
+
+### Customer SDP for daily updates
+
+Customers can also manage security intelligence updates with their own safe deployment policies through various measures:
+
+- Stage updates through [corporate networks](microsoft-defender-antivirus-ring-deployment-group-policy-network-share.md#setting-up-the-pilot-environment) or software management solutions.
+- Apply updates at a lower frequency for critical systems. Daily releases can be applied at a lower frequency for certain device groups, including servers critical to running your infrastructure.
+- Use [rollback controls](microsoft-defender-antivirus-updates.md#how-to-roll-back-an-update) to revert or reset components to a last known good state.
+
+## Related articles
+
+- [microsoft-defender-antivirus-ring-deployment](microsoft-defender-antivirus-ring-deployment.md)
+- [manage-protection-updates-microsoft-defender-antivirus](manage-protection-updates-microsoft-defender-antivirus.md)
+- [microsoft-defender-antivirus-updates](microsoft-defender-antivirus-updates.md)
+- [mac-updates](mac-updates.md)
+- [linux-support-offline-security-intelligence-update](linux-support-offline-security-intelligence-update.md)

defender-endpoint/mde-sdp-strategy.md

@@ -98,6 +98,22 @@ All our updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### August-2024 (Platform: 4.18.24080.9 | Engine: 1.1.24080.9)
+
+- Security intelligence update version: **1.419.1.0**
+- Release date: **September 17, 2024** (Engine and Platform)
+- Platform: **4.18.24080.9**
+- Engine: **1.1.24080.9**
+- Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Added a new parameter to get-mppreference cmdlet (ControlledFolderAccessDefaultProtectedFolders) to show default protected folders for Controlled Folder Access (CFA).
+- Fixed an issue with Device Control regarding printer security checks.
+- Resolved an issue with platform rollback after an upgrade from Windows 10 to 11.
+- Fixed an issue where volume exclusions weren't properly enforced in real-time protection after the completion of OOBE.
+- Removed support for Windows RT devices, for example, Surface RT, that use 32-bit ARM processors and have reached their end-of-servicing date.
+
 ### July-2024 (Platform: 4.18.24070.5 | Engine: 1.1.24070.3)
 
 - Security intelligence update version: **1.417.14.0**

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Offline scan in Windows
 description: You can use Microsoft Defender Offline Scan straight from the Microsoft Defender Antivirus app. You can also manage how it's deployed in your network.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 04/30/2024
+ms.date: 09/18/2024
 author: YongRhee-MSFT
 ms.author: yongrhee
 manager: deniseb
@@ -34,7 +34,7 @@ search.appverid: met150
 |**Protection type** | Hardware|
 |**Firmware/ Rootkit**|  Operating system <br/> Driver <br/> Memory (Heap) <br/> Application <br/> Identity <br/> Cloud|
 
-> [NOTE]
+> [!NOTE]
 > The protection for this feature focuses on the Firmware/Rootkit.
 
 Microsoft Defender Offline is an anti-malware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
@@ -50,7 +50,7 @@ The following are the hardware requirements for Microsoft Defender Offline Scan
 - x64/x86 Windows 8.1 
 - x64/x86 Windows 7 Service Pack 1
 
->[!CAUTION]
+> [!CAUTION]
 > Microsoft Defender Offline Scan does not apply to:
 >
 > - ARM Windows 11 

defender-endpoint/microsoft-defender-offline.md

@@ -2,8 +2,8 @@
 title: Supported Microsoft Defender for Endpoint capabilities by platform
 description: Get to know the Microsoft Defender for Endpoint capabilities supported for Windows 10 devices, servers, and non-Windows devices.
 ms.service: defender-endpoint
-ms.author: siosulli
-author: siosulli
+ms.author: deniseb
+author: denisebmsft
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 07/17/2024
+ms.date: 09/18/2024
 ---
 
 # Supported Microsoft Defender for Endpoint capabilities by platform
@@ -58,7 +58,7 @@ The following table gives information about the supported Microsoft Defender for
 |[Device response capabilities: collect investigation package ](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) <sup>[3]</sup>       |  ![Yes.](media/svg/check-yes.svg) <sup>[3]</sup>        |
 |[Device response capabilities: run antivirus scan](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)        |  ![Yes.](media/svg/check-yes.svg)         |
 |[Device isolation](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)    |
-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![No](media/svg/check-no.svg)       |  ![No](media/svg/check-no.svg)     |
+|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) <sup>[6]</sup> |  ![Yes.](media/svg/check-yes.svg) <sup>[6]</sup> |
 |[Live Response](live-response.md)       | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg) |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)      |
 
 <sup>[1]</sup> Refers to the modern, unified solution for Windows Server 2012 R2 and Windows Server 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
@@ -71,6 +71,8 @@ The following table gives information about the supported Microsoft Defender for
 
 <sup>[5]</sup> Endpoint & network device discovery is supported on Windows Server 2019 or later, Windows 10, and Windows 11
 
+<sup>[6]</sup> Collect file feature is currently in preview ([Microsoft Defender for Endpoint preview features](/defender-xdr/preview)).  Currently does not support "Deep analysis" or "Block file, stop, and quarantine process".
+
 > [!NOTE]
 > Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and antivirus using System Center Endpoint Protection (SCEP).