Merge branch 'main' into docs-editor/android-configure-mam-1724494175

Author: denisebmsft

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 03/20/2024
+ms.date: 08/26/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -115,17 +115,15 @@ Choose if to Generate an alert on the file block event and define the alerts set
 :::image type="content" source="media/indicators-generate-alert.png" alt-text="The Alert settings for file indicators" lightbox="media/indicators-generate-alert.png":::
 
 > [!IMPORTANT]
->
-> - Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
-> - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
-> - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
-> - If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
->
+> - Typically, file blocks are enforced and removed within15 minutes, average 30 minutes but can take upwards of 2 hours.
+- If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
+- In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
+- If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
+
 > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
->
-> For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
+> > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
 
-## Advanced hunting capabilities (preview)
+> ## Advanced hunting capabilities (preview)
 
 > [!IMPORTANT]
 > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -158,11 +156,17 @@ The response action activity can also be viewable in the device timeline.
 Cert and File IoC policy handling conflicts follow this order:
 
 1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then **Block**.
+
 2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then **Allow**.
+
 3. Else, if the file is blocked or warned by a block or warn file IoCs, then **Block/Warn**.
+
 4. Else, if the file is blocked by SmartScreen, then **Block**.
+
 5. Else, if the file is allowed by an allow file IoC policy, then **Allow**.
+
 6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then **Block**.
+
 7. Else, **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).
 
 > [!NOTE]
@@ -184,15 +188,13 @@ Microsoft Defender Vulnerability Management's block vulnerable application featu
 |Windows Defender Application Control|Allow|Block|Allow|
 |Windows Defender Application Control|Block|Allow|Block|
 |Microsoft Defender Antivirus exclusion|Allow|Block|Allow|
-|
 
 ## See also
 
 - [Create indicators](manage-indicators.md)
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
 - [Create indicators based on certificates](indicator-certificates.md)
 - [Manage indicators](indicator-manage.md)
-
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/indicator-ip-domain.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: 
 search.appverid: met150
-ms.date: 10/06/2023
+ms.date: 08/26/2024
 ---
 
 # Create indicators for IPs and URLs/domains
@@ -46,38 +46,42 @@ You can block malicious IPs/URLs through the settings page or by machine groups,
 > [!NOTE]
 > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
 
-## Before you begin
-
-It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
-
-### Network Protection requirements
-
-URL/IP allow and block requires that the Microsoft Defender for Endpoint component _Network Protection_ is enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
-
 ### Supported operating systems
 
-- Windows 10, version 1709 or later
 - Windows 11
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2019
+- Windows 10, version 1709 or later
 - Windows Server 2022
+- Windows Server 2019
+- Windows Server 2016 running [Defender for Endpoint modern unified solution](/defender-endpoint/configure-server-endpoints) (requires installation through MSI)
+- Windows Server 2012 R2 running [Defender for Endpoint modern unified solution](/defender-endpoint/configure-server-endpoints) (requires installation through MSI)
 - macOS
 - Linux
 - iOS 
 - Android
 
-### Windows Server 2016 and Windows Server 2012 R2 requirements
+## Before you begin
 
-Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2).
+It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains.
 
 ### Microsoft Defender Antivirus version requirements
 
-The _Antimalware client version_ must be 4.18.1906.x or later.
+This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows) (in active mode)
+
+[Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled
+
+[Cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus) is turned on.
+
+[Cloud Protection network connectivity](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is functional
+
+The antimalware client version must be `4.18.1906.x` or later. See [Monthly platform and engine versions](/defender-endpoint/microsoft-defender-antivirus-updates).
+
+### Network Protection requirements
+
+URL/IP allow and block requires that the Microsoft Defender for Endpoint component _Network Protection_ is enabled in **block mode**. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
 
 ### Custom network indicators requirements
 
-Ensure that **Custom network indicators** is enabled in **Microsoft Defender XDR** \> **Settings** \> **Advanced features**. For more information, see [Advanced features](advanced-features.md).
+To start blocking IP addresses and/or URL's, turn on "**Custom network indicators"** feature in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features**. For more information, see [Advanced features](advanced-features.md).
 
 For support of indicators on iOS, see [Microsoft Defender for Endpoint on iOS](ios-configure-features.md#configure-custom-indicators).
 
@@ -138,7 +142,7 @@ In the case where multiple different action types are set on the same indicator
 2. Warn
 3. Block
 
-_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, Microsoft.com would be allowed.
+_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, `Microsoft.com` would be allowed.
 
 ### Defender for Cloud Apps Indicators
 

defender-for-iot/TOC.yml

@@ -11,7 +11,17 @@
       - name: What's new
         href: whats-new.md  
       - name: Site security
-        href: site-security-overview.md  
+        href: site-security-overview.md     
+      - name: Enterprise IoT
+        items:
+          - name: Enterprise IoT overview
+            href: enterprise-iot.md
+          - name: Enterprise IoT licenses
+            href: enterprise-iot-licenses.md
+          - name: Get started with enterprise IoT
+            href: enterprise-iot-get-started.md      
+          - name: Manage enterprise IoT
+            href: enterprise-iot-manage.md 
     - name: Get started
       items:
       - name: Prerequisites

defender-for-iot/device-discovery.md

@@ -5,7 +5,7 @@ ms.service: defender-for-iot
 author: limwainstein
 ms.author: lwainstein
 ms.localizationpriority: medium
-ms.date: 06/19/2024
+ms.date: 08/19/2024
 ms.topic: conceptual
 ---
 
@@ -64,6 +64,17 @@ Defender for IoT's device inventory supports the following device classes:
 |**Enterprise**|Smart devices, printers,  communication devices, or audio/video devices|
 |**Retail**|Barcode scanners, humidity sensor, punch clocks|
 
+### Identified, unique devices
+
+Defender for IoT can discover all devices, of any type, across all environments. Devices are listed in the Defender for IoT **Device inventory** pages based on a unique IP and MAC address coupling.
+
+Defender for IoT identifies single and unique devices as follows:
+
+|Type  |Description  |
+|---------|---------|
+|**Identified as individual devices**     |    Devices identified as *individual* devices include:<br>**IT, OT, or IoT devices with one or more NICs**, including network infrastructure devices such as switches and routers<br><br>**Note**: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.|
+|**Not identified as individual devices**     | The following items *aren't* considered as individual devices, and do not count against your license:<br><br>- **Public internet IP addresses** <br>- **Multi-cast groups**<br>- **Broadcast groups**<br>- **Inactive devices**<br><br> Network-monitored devices are marked as *inactive* when there's no network activity detected within a specified time:<br><br> - **OT networks**: No network activity detected for more than 60 days<br> - **Enterprise IoT networks**: No network activity detected for more than 30 days<br><br>**Note**: Endpoints already managed by Defender for Endpoint are not considered as separate devices by Defender for IoT.  |
+
 ## Next steps
 
 [Discover and manage devices](manage-devices-inventory.md)

defender-for-iot/enterprise-iot-get-started.md

@@ -0,0 +1,142 @@
+---
+title: Get started for Enterprise IoT for Microsoft Defender for IoT in the Defender portal
+description: Learn how to set up and start monitoring enterprise IoT devices using Microsoft Defender for IoT in the Microsoft Defender portal.
+ms.service: defender-for-iot
+author: limwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 08/25/2024
+ms.topic: how-to
+---
+
+# Get started with enterprise IoT
+
+Enterprise IoT security improves the monitoring and protection of the IoT devices in your network, such as printers, smart TVs, Voice over Internet Protocol (VoIP) devices, conferencing systems and purpose-built, proprietary devices.
+
+The security monitoring includes IoT related alerts, vulnerabilities, and recommendations that are integrated with your existing Microsoft Defender for Endpoint data. To understand more about the integration between Defender for Endpoint and Defender for IoT, see [enterprise IoT overview](enterprise-iot.md).
+
+In this article you'll learn how to add enterprise IoT to your Microsoft Defender portal and use the IoT specific security features to protect your IoT environment.
+
+[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
+
+## Prerequisites
+
+Make sure that you have:
+
+- IoT devices in your network, visible in the Microsoft Defender portal **Device inventory**
+
+- Access to the Microsoft Defender Portal as a [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)
+
+- One of the following licenses:
+
+    - A Microsoft 365 E5 (ME5) or E5 Security license. Enterprise IoT security is included in this package and needs to be turned on.
+
+    - Microsoft Defender for Endpoint P2, with an extra, standalone **Microsoft Defender for IoT - EIoT Device License - add-on** license, available for trial or purchase from the Microsoft 365 admin center.
+
+## Add enterprise IoT security in the Defender portal
+
+There are two ways to add enterprise IoT to the Defender portal:
+
+- ME5/ E5 Security customers: Turn on support for enterprise IoT Security in the Defender Portal. For more information, see [turn on enterprise IoT security](#me5-e5-security-customers).
+
+- Defender for Endpoint P2 customers: Start with a free trial or purchase standalone, per-device licenses to gain the same IoT-specific security value. For more information, see [set up a standalone trial license](#set-up-a-standalone-trial-license). To purchase a full license, see [purchase the standalone full license](#set-up-a-standalone-full-license).
+
+## ME5/ E5 Security customers
+
+This procedure describes how to turn on enterprise IoT security in Defender portal for ME5/ E5 Security customers.
+
+If you have extra devices that aren't covered by your ME5/E5 licenses, you can purchase standalone licenses. For more information, see [set up a standalone full license](#set-up-a-standalone-full-license).
+
+**To turn on enterprise IoT security**:
+
+1. In [Microsoft Defender portal](https://security.microsoft.com/), select **Settings** > **Device Discovery** > **Enterprise IoT**.
+
+    > [!NOTE]
+    >
+    > Ensure you have turned on Device Discovery in **Settings** > **Endpoints** > **Advanced Features**.
+
+1. Toggle the Enterprise IoT security option to **On**. For example:
+
+    :::image type="content" source="media/enterprise-iot-get-started/eiot-toggle-on.png" alt-text="Screenshot of enterprise IoT toggled on in Microsoft Defender portal.":::
+
+## Defender for Endpoint P2 customers
+
+Customers with a Microsoft Defender for Endpoint P2 license only can use a trial standalone license for enterprise IoT security.
+
+You can also purchase a license using the Microsoft 365 admin center. Before purchasing the license you need to [calculate the number of monitored devices in your network](#calculate-monitored-devices-for-enterprise-iot-security) to determine how many licenses you need.
+
+### Set up a standalone trial license
+
+**To start an enterprise IoT trial**:
+
+1. Go to the [Microsoft 365 admin center](https://portal.office.com/AdminPortal/Home#/catalog) > **Marketplace**.
+
+1. Search for the **Microsoft Defender for IoT - EIoT Device License - add-on** and filter the results by **Other services**. For example:
+
+    :::image type="content" source="media/enterprise-iot-get-started/eiot-standalone.png" alt-text="Screenshot of the Marketplace search results for the EIoT Device License.":::
+
+    > [!IMPORTANT]
+    >
+    > The prices shown in this image are for example purposes only and are not intended to reflect actual prices.
+
+1. Under **Microsoft Defender for IoT - EIoT Device License - add-on**, select **Details**.
+
+1. On the **Microsoft Defender for IoT - EIoT Device License - add-on** page, select **Start free trial**. On the **Check out** page, select **Try now**.
+
+> [!TIP]
+> Make sure to [assign your licenses to specific users](/microsoft-365/admin/manage/assign-licenses-to-users) to start using them.
+
+### Set up a standalone full license
+
+Before purchasing a license you must calculate the number of devices you're monitoring.
+
+#### Calculate monitored devices for enterprise IoT security
+
+Use the following procedure to calculate how many devices you need to monitor if:
+
+- You're an ME5/E5 Security customer and think you need to monitor more devices than the devices allocated per ME5/E5 Security license
+- You're a Defender for Endpoint P2 customer who's purchasing standalone enterprise IoT licenses
+
+**To calculate the number of devices you're monitoring:**
+
+1. In [Microsoft Defender portal](https://security.microsoft.com/), select **Assets** > **Devices** to open the **Device inventory** page.
+
+1. Note down the total number of **IoT devices** listed.
+
+    For example:
+
+    :::image type="content" source="media/enterprise-iot-get-started/device-inventory-iot.png" alt-text="Screenshot of network device and IoT devices in the device inventory in Microsoft Defender for Endpoint." lightbox="media/enterprise-iot-get-started/device-inventory-iot.png":::
+
+1. Round your total to a multiple of 100 and compare it against the number of licenses you have. For example:
+
+    - If in Microsoft Defender portal **Device inventory**, you have *1204* IoT devices.
+    - Round down to *1200* devices.
+    - You have 240 ME5 licenses, which cover **1200** devices.
+
+    You need another **4** standalone devices to cover the gap.
+
+For more information, see the [Defender for Endpoint Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery).
+
+> [!NOTE]
+> Devices listed on the **Computers & Mobile** tab, including those managed by Defender for Endpoint or otherwise, are not included in the number of [devices](device-discovery.md#identified-unique-devices) monitored by Defender for IoT.
+
+#### Purchase the standalone license
+
+To purchase the standalone full license:
+
+1. Go to the [Microsoft 365 admin center](https://portal.office.com/AdminPortal/Home#/catalog) **Billing > Purchase services**. If you don't have this option, select **Marketplace** instead.
+
+1. Search for the **Microsoft Defender for IoT - EIoT Device License - add-on** and filter the results by **Other services**. For example:
+
+    :::image type="content" source="media/enterprise-iot-get-started/eiot-standalone.png" alt-text="Screenshot of the Marketplace search results for the EIoT Device License.":::
+
+    > [!IMPORTANT]
+    > The prices shown in this image are for example purposes only and are not intended to reflect actual prices.
+
+1. On the **Microsoft Defender for IoT - EIoT Device License - add-on** page, enter your selected license quantity, select a billing frequency, and then select **Buy**.
+
+For more information, see the [Microsoft 365 admin center help](/microsoft-365/admin/).
+
+## Next steps
+
+[Manage enterprise IoT](enterprise-iot-manage.md)