Merge branch 'main' into docs-editor/virus-initiative-criteria-1731963855

Author: diannegali

defender-endpoint/android-intune.md

@@ -27,18 +27,19 @@ ms.date: 11/15/2024
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
-**Ending support for Device Administrator enrolled devices**
-
-Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024.
-
-**For devices with access to GMS**
-
-After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: 
-
-- Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
-- Intune and Defender for Endpoint technical support will no longer support these devices.
+> [!IMPORTANT]
+> **Ending support for Device Administrator enrolled devices**
+> Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024.
+> 
+> **For devices with access to GMS**
+> 
+> After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: 
+> 
+> - Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
+> - Intune and Defender for Endpoint technical support will no longer support these devices.
+> 
+> For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
 
-For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
 
 **Aug-2024 (version: 1.0.6812.0101)**
 

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 11/10/2024
+ms.date: 11/18/2024
 search.appverid: met150
 ---
 
@@ -330,6 +330,11 @@ By default the state of this rule is set to block. In most cases, many processes
 
 Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.
 
+> [!TIP]
+> 1. ASR audit events don't generate toast notifications. However, since the LSASS ASR rule produces large volume of audit events, almost all of which are safe to ignore when the rule is enabled in block mode, you can choose to skip the audit mode evaluation and proceed to block mode deployment, beginning with a small set of devices and gradually expanding to cover the rest.
+> 2. The rule is designed to suppress block reports/toasts for friendly processes. It is also designed to drop reports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of whether toast notifications are enabled or disabled. 
+> 3. ASR in warn mode is designed to present users with a block toast notification that includes an "Unblock" button. Due to the "safe to ignore" nature of LSASS ASR blocks and their large volume, WARN mode is not advisable for this rule (irrespective of whether toast notifications are enabled or disabled).
+
 > [!NOTE]
 > In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
 > The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode.

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -173,7 +173,7 @@ To test streamlined connectivity for devices not yet onboarded to Defender for E
 
 - Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` , where parameter is of GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable tenant geo.
 
-As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/BetaMDEAnalyzer
+As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/MDEClientAnalyzerPreview
 
 
 > [!NOTE]

defender-endpoint/configure-device-connectivity.md

@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 11/06/2024
+ms.date: 11/19/2024
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -40,7 +40,7 @@ search.appverid: met150
 Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, 
 
 > [!NOTE]
-> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](indicator-certificates.md).
+> Scripting engines like PowerShell are not trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
 
 Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
 

defender-endpoint/controlled-folders.md

@@ -29,7 +29,7 @@ Learn how to download the Microsoft Defender for Endpoint client analyzer on sup
 ## Download client analyzer for Windows OS
 
 1. The latest stable edition is available for download from following URL: <https://aka.ms/MDEAnalyzer>
-2. The latest preview edition is available for download from following URL: <https://aka.ms/BetaMDEAnalyzer>
+2. The latest preview edition is available for download from following URL: <https://aka.ms/MDEClientAnalyzerPreview>
 
 ## Download client analyzer for macOS or Linux
 

defender-endpoint/download-client-analyzer.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 11/15/2024
+ms.date: 11/21/2024
 ---
 
 # Evaluate exploit protection
@@ -37,7 +37,7 @@ In audit, you can see how mitigation works for certain apps in a test environmen
 
 Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.  
 
-#### What kinds of Software shouldn't be protected by exploit protection?
+#### What kinds of software shouldn't be protected by exploit protection?
 
 - Anti-malware and intrusion prevention or detection software
 - Debuggers
@@ -55,6 +55,40 @@ Services
 - System services
 - Network services
 
+## Exploit protection mitigations enabled by default
+
+| Mitigation | Enabled by default |
+| -------- | -------- |
+| Data Execution Prevention (DEP) | 64-bit and 32-bit applications |
+| Validate exception chains (SEHOP) | 64-bit applications |
+| Validate heap integrity | 64-bit and 32-bit applications |
+
+## Deprecated "Program settings" mitigations
+
+| “Program settings” mitigations | Reason |
+| -------- | -------- |
+| Export address filtering (EAF) | Application compatibility issues |
+| Import address filtering (IAF) | Application compatibility issues |
+| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) |
+
+## Office application best practices
+
+Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules):
+
+- [Block executable content from email client and webmail ](attack-surface-reduction-rules-reference.md#block-executable-content-from-email-client-and-webmail)
+- [Block Office applications from creating executable content](attack-surface-reduction-rules-reference.md#block-office-applications-from-creating-executable-content)
+- [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes)
+- [Block Office communication application from creating child processes](attack-surface-reduction-rules-reference.md#block-office-communication-application-from-creating-child-processes)
+- [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes)
+- [Block execution of potentially obfuscated scripts](attack-surface-reduction-rules-reference.md#block-execution-of-potentially-obfuscated-scripts)
+- [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros)
+
+For Adobe Reader use the following ASR rule:
+
+•	[Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes)
+
 ## Application compatibility list
 
 The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -69,7 +103,7 @@ The following table lists specific products that have compatibility issues with
 | DropBox   | EAF  |
 | Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
 | Google Chrome   | EAF+   |
-| Immidio Flex+   | Cell 4   |
+| Immidio Flex+   | EAF   |
 | Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
 | Microsoft PowerPoint   | EAF   |
 | Microsoft Teams   | EAF+   |
@@ -82,7 +116,38 @@ The following table lists specific products that have compatibility issues with
 
 ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
-## Enable exploit protection for testing
+## Enable exploit protection system settings for testing
+
+These Exploit Protection system settings are enabled by default on Windows 10 and later, Windows Server 2019 and later, and on Windows Server version 1803 core edition and later.
+
+| System settings | Setting |
+| -------- | -------- |
+| Control flow guard (CFG) | Use default (On) |
+| Data Execution Prevention (DEP) | Use default (On) |
+| Force randomization for images (Mandatory ASRL) | Use default (On) |
+| Randomize memory allocations (Bottom-up ASRL) | Use default (On) |
+| High-entropy ASRL | Use default (On) |
+| Validate exception chains (SEHOP) | Use default (On) |
+
+The xml sample is available below
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<MitigationPolicy>
+  <SystemConfig>
+    <DEP Enable="true" EmulateAtlThunks="false" />
+    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
+    <ControlFlowGuard Enable="true" SuppressExports="false" />
+    <SEHOP Enable="true" TelemetryOnly="false" />
+    <Heap TerminateOnError="true" />
+  </SystemConfig>
+</MitigationPolicy>
+```
+
+## Enable exploit protection program settings for testing
+
+> [!TIP] 
+> We highly recommend reviewing the modern approach for vulnerability mitigations, which is to use [Attack Surface Reduction rules (ASR rules)](attack-surface-reduction.md).
 
 You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
 

defender-endpoint/evaluate-exploit-protection.md

@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 11/21/2024
 ---
 
 # Protect devices from exploits
@@ -60,6 +60,23 @@ DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
 
+### Exploit Protection and advanced hunting
+
+Below are the advanced hunting actiontypes available for Exploit Protection.
+
+| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes | 
+|:---|:---|
+| Arbitrary code guard | ExploitGuardAcgAudited <br/> ExploitGuardAcgEnforced <br/>|
+| Don't allow child processes | ExploitGuardChildProcessAudited <br/> ExploitGuardChildProcessBlocked <br/> |
+| Export address filtering (EAF) | ExploitGuardEafViolationAudited <br/> ExploitGuardEafViolationBlocked <br/> |
+| Import address filtering (IAF) | ExploitGuardIafViolationAudited <br/> ExploitGuardIafViolationBlocked <br/> |
+| Block low integrity images | ExploitGuardLowIntegrityImageAudited <br/> ExploitGuardLowIntegrityImageBlocked <br/> |
+| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited <br/> ExploitGuardNonMicrosoftSignedBlocked <br/> |
+|•	Simulate execution (SimExec)<br/> •	Validate API invocation (CallerCheck) <br/> •	Validate stack integrity (StackPivot) <br/> | ExploitGuardRopExploitAudited <br/> ExploitGuardRopExploitBlocked <br/> |
+| Block remote images | ExploitGuardSharedBinaryAudited <br/> ExploitGuardSharedBinaryBlocked <br/> |
+| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited <br/> ExploitGuardWin32SystemCallBlocked <br/>|
+
+
 ## Review exploit protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:<br/><br/>
@@ -126,7 +143,6 @@ The table in this section indicates the availability and support of native mitig
 |Validate image dependency integrity | Yes | No |
 
 > [!NOTE]
-
 > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the [Mitigation threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit).
 
 ## See also

defender-endpoint/exploit-protection.md

@@ -6,7 +6,7 @@ author: deniseb
 ms.author: deniseb
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 10/30/2024
+ms.date: 11/18/2024
 audience: ITPro
 ms.collection:
 - m365-security
@@ -41,7 +41,7 @@ For more information on Microsoft Defender for Endpoint on other operating syste
 
 - In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device control's ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1.
 
-- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.0.1 or newer.
+- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.1 or newer.
 
 ## Sequoia support
 

defender-endpoint/mac-whatsnew.md

@@ -32,7 +32,7 @@ You can collect the Defender for Endpoint analyzer support logs remotely using [
 
 ## Option 2: Run MDE Client Analyzer locally
 
-1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [Beta MDE Client Analyzer tool](https://aka.ms/BetaMDEAnalyzer) to the Windows device you want to investigate.
+1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [Beta MDE Client Analyzer tool](https://aka.ms/MDEClientAnalyzerPreview) to the Windows device you want to investigate.
 
    The file is saved to your Downloads folder by default.