Merge branch 'public' into patch-1

Author: denisebmsft

ATADocs/docfx.json

@@ -46,7 +46,10 @@
       "layout": "Conceptual",
       "breadcrumb_path": "/advanced-threat-analytics/bread/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "searchScope": ["ATA"]
+      "searchScope": ["ATA"],
+      "contributors_to_exclude": [
+        "beccarobins"
+      ]
     },
     "markdownEngineName": "markdig"
   }

CloudAppSecurityDocs/docfx.json

@@ -42,7 +42,10 @@
       "ms.author": "bagol",
       "ms.collection": "M365-security-compliance",
       "ms.service": "defender-for-cloud-apps",
-      "ms.suite": "ems"
+      "ms.suite": "ems",
+      "contributors_to_exclude": [
+        "beccarobins"
+      ]
     },
     "fileMetadata": {},
     "template": [],

defender-business/docfx.json

@@ -59,7 +59,8 @@
         "v-stchambers",
         "Stacyrch140",
         "garycentric",
-        "alekyaj"
+        "alekyaj",
+        "beccarobins"
       ]
     },
     "fileMetadata": {},

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 11/05/2024
+ms.date: 11/10/2024
 search.appverid: met150
 ---
 
@@ -348,6 +348,14 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+Known issues: These applications and "Block credential stealing from the Windows local security authority subsystem" rule, are incompatible:
+
+|Application name|For information|
+| -------- | -------- |
+|Quest Dirsync Password Sync|[Dirsync Password Sync isn’t working when Windows Defender is installed, error: "VirtualAllocEx failed: 5" (4253914)](https://support.quest.com/kb/4253914/dirsync-password-sync-isn-t-working-when-windows-defender-is-installed-error-virtualallocex-failed-5)|
+
+For technical support, contact the software vendor.
+
 ### Block executable content from email client and webmail
 
 This rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from propagating the following file types:
@@ -482,6 +490,15 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+Known issues: These applications and "Block Office applications from injecting code into other processes" rule, are incompatible:
+
+|Application name|For information|
+| -------- | -------- |
+|Avecto (BeyondTrust) Privilege Guard|[September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)](/defender-endpoint/microsoft-defender-antivirus-updates).  |
+|Heimdal security|n/a|
+
+For technical support, contact the software vendor.
+
 ### Block Office communication application from creating child processes
 
 This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.

defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md

@@ -10,7 +10,7 @@ ms.reviewer: yongrhee
 manager: deniseb
 ms.subservice: ngp
 ms.topic: conceptual
-ms.date: 07/25/2024
+ms.date: 11/10/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -64,7 +64,7 @@ You can specify the cloud block timeout period with an [endpoint security policy
 
 3. Select (or create) an antivirus policy.
 
-4. In the **Configuration settings** section, expand **Cloud protection**. Then, in the **Microsoft Defender Antivirus Extended Timeout In Seconds** box, specify the more time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
+4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the timeout, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
 
 5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)
 

defender-endpoint/controlled-folders.md

@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 07/30/2024
+ms.date: 11/06/2024
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -33,12 +33,11 @@ search.appverid: met150
 **Applies to**
 - Windows
 
-
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
 
 ## What is controlled folder access?
 
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, 
 
 > [!NOTE]
 > Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](indicator-certificates.md).
@@ -66,15 +65,6 @@ The [protected folders](#review-controlled-folder-access-events-in-windows-event
 
 You can use [audit mode](overview-attack-surface-reduction.md) to evaluate how controlled folder access would impact your organization if it were enabled.
 
-Controlled folder access is supported on the following versions of Windows:
-
-- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) and later
-- Windows 11
-- Windows 2012 R2
-- Windows 2016
-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
-- Windows Server 2022
-
 ## Windows system folders are protected by default
 
 Windows system folders are protected by default, along with several other folders:
@@ -91,9 +81,9 @@ The protected folders include common system folders (including boot sectors), an
 - `c:\Users\Public\Music`
 - `c:\Users\<username>\Favorites`
 
-Default folders appear in the user's profile, under **This PC**.
-   > [!div class="mx-imgBorder"]
-   > ![Protected Windows default systems folders](media/defaultfolders.png)
+Default folders appear in the user's profile, under **This PC**, as shown in the following image:
+
+![Protected Windows default systems folders](media/defaultfolders.png)
 
 > [!NOTE]
 > You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
@@ -122,33 +112,45 @@ DeviceEvents
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
+
 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
 3. On the left panel, under **Actions**, select **Import custom view...**.
+
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](overview-attack-surface-reduction.md).
+
 5. Select **OK**.
 
 The following table shows events related to controlled folder access:
 
 |Event ID|Description|
 |---|---|
-|5007|Event when settings are changed|
-|1124|Audited controlled folder access event|
-|1123|Blocked controlled folder access event|
-|1127|Blocked controlled folder access sector write block event|
-|1128|Audited controlled folder access sector write block event|
+|`5007`|Event when settings are changed|
+|`1124`|Audited controlled folder access event|
+|`1123`|Blocked controlled folder access event|
+|`1127`|Blocked controlled folder access sector write block event|
+|`1128`|Audited controlled folder access sector write block event|
 
 ## View or change the list of protected folders
 
 You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
 
 1. On your Windows 10 or Windows 11 device, open the Windows Security app.
+
 2. Select **Virus & threat protection**.
+
 3. Under **Ransomware protection**, select **Manage ransomware protection**.
+
 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
+
 5. Do one of the following steps:
+
    - To add a folder, select **+ Add a protected folder**.
    - To remove a folder, select it, and then select **Remove**.
 
-> [!NOTE]
-> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
+   > [!IMPORTANT]
+   > Do not add local share paths (loopbacks) as protected folders. Use the local path instead. For example, if you have shared `C:\demo` as `\\mycomputer\demo`, do not add `\\mycomputer\demo` to the list of protected folders. Instead add `C:\demo`.
+
+[Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/docfx.json

@@ -59,7 +59,8 @@
         "v-stchambers",
         "Stacyrch140",
         "garycentric",
-        "alekyaj"
+        "alekyaj",
+        "beccarobins"
       ]
     },
     "fileMetadata": {},

defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 ms.topic: how-to
 author: denisebmsft
 ms.author: deniseb
-ms.date: 04/03/2024
+ms.date: 11/10/2024
 ms.reviewer: pahuijbr
 manager: deniseb
 ms.custom: nextgen
@@ -81,7 +81,7 @@ For more information about the specific network-connectivity requirements to ens
 
    | Task  | Steps  |
    |---------|---------|
-   | Create a new policy     | 1. For **Platform**, select **Windows 10, Windows 11, and Windows Server**. <br/><br/>2. For **Profile**, select **Microsoft Defender Antivirus**.<br/><br/>3. On the **Basics** page, specify a name and description for the policy, and then choose **Next**.<br/><br/>4. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**. Then choose **Next**. <br/><br/>5. Scroll down to **Submit Samples Consent**, and select one of the following settings:<br/>- **Send all samples automatically**<br/>- **Send safe samples automatically**<br/><br/>6. On the **Scope tags** step, if your organization is using [scope tags](/mem/intune/fundamentals/scope-tags), select the tags you want to use, and then choose **Next**.<br/><br/>7. On the **Assignments** step, select the groups, users, or devices that you want to apply this policy to, and then choose **Next**.<br/><br/>8. On the **Review + create** step, review the settings for your policy, and then choose **Create**.          |
+   | Create a new policy     | 1. For **Platform**, select **Windows**. <br/><br/>2. For **Profile**, select **Microsoft Defender Antivirus**.<br/><br/>3. On the **Basics** page, specify a name and description for the policy, and then choose **Next**.<br/><br/>4. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**.<br/><br/>5. Scroll down to **Submit Samples Consent**, and select one of the following settings:<br/>- **Send all samples automatically**<br/>- **Send safe samples automatically**<br/><br/>6. On the **Scope tags** step, if your organization is using [scope tags](/mem/intune/fundamentals/scope-tags), select the tags you want to use, and then choose **Next**.<br/><br/>7. On the **Assignments** step, select the groups, users, or devices that you want to apply this policy to, and then choose **Next**.<br/><br/>8. On the **Review + create** step, review the settings for your policy, and then choose **Create**.          |
    | Edit an existing policy     | 1. Select the policy that you want to edit.<br/><br/>2. Under **Configuration settings**, choose **Edit**.<br/><br/>3. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**.<br/><br/>4. Scroll down to **Submit Samples Consent**, and select one of the following settings:<br/>- **Send all samples automatically**<br/>- **Send safe samples automatically**<br/><br/>5. Select **Review + save**.        |
 
 > [!TIP]

defender-endpoint/mac-preferences.md

@@ -2,9 +2,10 @@
 title: Set preferences for Microsoft Defender for Endpoint on Mac
 description: Configure Microsoft Defender for Endpoint on Mac in enterprise organizations.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
+ms.reviewer: yongrhee
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: 
@@ -14,7 +15,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 08/15/2024
+ms.date: 11/11/2024
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS
@@ -681,7 +682,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
         <key>PayloadOrganization</key>
         <string>Microsoft</string>
         <key>PayloadIdentifier</key>
-        <string>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
         <key>PayloadDisplayName</key>
         <string>Microsoft Defender for Endpoint settings</string>
         <key>PayloadDescription</key>

defender-endpoint/manage-indicators.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 01/18/2024
+ms.date: 11/05/2024
 ---
 
 # Create indicators
@@ -150,9 +150,10 @@ The functionality of pre-existing IoCs won't change. However, the indicators wer
 The IoC API schema and the threat IDs in advance hunting are updated to align with the renaming of the IoC response actions. The API scheme changes apply to all IoC Types.
 
 > [!NOTE]
->
-> There is a limit of 15,000 indicators per tenant. File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
->
+> There is a limit of 15,000 indicators per tenant. Increases to this limit are not supported.
+> 
+> File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
+> 
 > The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel.
 
 ## Known issues and limitations