Merge branch 'main' into docs-editor/device-control-policies-1726495676

Author: denisebmsft

defender-endpoint/TOC.yml

@@ -41,9 +41,9 @@ Apple fixed an issue on macOS [Ventura upgrade](https://developer.apple.com/docu
 
 In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
 
-**Sonoma support**
+**Sequoia support**
 
-Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
+Microsoft Defender supports macOS Sequoia (15) in the current Defender release.
 
 **macOS Deprecation**
 

defender-endpoint/mac-whatsnew.md

@@ -0,0 +1,83 @@
+---
+title: Use safe deployment practices to safeguard your environment
+description: Plan, implement, adopt, and manage safe deployment practices to safeguard and manage your environment
+keywords: mde safe deployment practices
+author: siosulli
+ms.author: siosulli
+manager: deniseb
+ms.date: 09/16/2024
+ms.topic: conceptual
+ms.service: defender-endpoint
+ms.subservice: ngp
+ms.localizationpriority: high
+ms.custom: get-started
+ms.collection:
+- tier1
+- highpri
+---
+
+# Use safe deployment practices to safeguard and manage your environment
+
+Microsoft follows safe deployment practices (SDP) to minimize the risk of security updates having an unexpected impact. This article describes Microsoft Defender for Endpoint’s approach to SDP and what customers can do to manage their own roll-out processes to add an extra layer of control.
+
+Microsoft Defender for Endpoint ships updates externally only after all the certification and validation tests are completed across multiple iterations of internal devices. 
+
+Defender for Endpoint applies SDP to two distinct update mechanisms:
+
+- Software and driver updates that are updated monthly (can potentially update kernel-mode components).
+- Security intelligence and detection logic updates that can be updated multiple times a day (updates only apply to user-mode components).
+
+## Monthly SDP software and driver updates
+
+Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs. 
+
+Defender for Endpoint’s kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
+
+The process for rolling out software and driver updates for Defender for Endpoint is shown in this image:
+
+:::image type="content" alt-text="process for rolling out software and driver updates for Defender for Endpoint" source="/defender/media/defender-endpoint/mde-software-driver-updates.png" lightbox="/defender/media/defender-endpoint/mde-software-driver-updates.png":::
+
+### Microsoft SDP for monthly updates
+
+All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft’s hundreds of thousands of employees and millions of internal devices. This helps ensure Microsoft discovers and addresses issues first, before customers.
+ 
+Within each ring, Microsoft closely monitors quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices.
+ 
+Once internal testing is successfully completed, Microsoft then releases the updates externally in a staggered manner to ensure stability. During this time, Microsoft continuously monitors the rollout to ensure a quick response and remote resolution of any issues by reverting or reissuing update packages.
+
+### Customer SDP for monthly updates 
+
+In addition to Microsoft’s safe deployment practices, organizations can also manage monthly updates with their own safe deployment practices through various controls:
+
+- [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md) to control the delivery of agent updates to their devices. Customers can control the rings that are assigned to their device group and when each ring receives updates. For example, place lower-valued assets in earlier rings and higher-valued assets in later rings.
+- Apply patch management software and practices for security component updates that can also arrive in the form of monthly Latest Cumulative Updates (LCUs).
+- Use [rollback controls](microsoft-defender-antivirus-updates.md#how-to-roll-back-an-update) or automated rollback options to revert or reset components to a last known good state. 
+
+> [!NOTE]
+> Caution is advised when rolling back an update across a large group of devices.
+
+## Daily SDP security intelligence and detection logic updates
+
+Microsoft releases security intelligence updates that once installed on devices supplement the real-time local and cloud-based machine learning models, behavior analysis, and heuristics that enable Defender for Endpoint to neutralize the latest known cyberthreats.
+
+Given the high frequency at which these updates need to be delivered to protect customers, it’s not possible to deploy them through the same deployment process. Therefore, Defender for Endpoint doesn't include kernel changes in intelligence updates. Instead, daily updates are only delivered to components that run in the user mode of the operating system. This approach helps mitigate the risk of these more frequent updates from impacting the broader operating system and, in the unlikely event of an error, limits the risk of significant negative effects like system crashes and ensures devices can be automatically recovered.
+
+### Microsoft SDP for daily updates 
+
+Similar to the process for software and driver updates, Microsoft ships security intelligence updates after extensive testing and rolls them out starting with internal devices, early access customers, and then releases them externally in a controlled, gradual manner. Microsoft continually monitors telemetry and can mitigate issues through the cloud in minutes.
+
+### Customer SDP for daily updates
+
+Customers can also manage security intelligence updates with their own safe deployment policies through various measures:
+
+- Stage updates through [corporate networks](microsoft-defender-antivirus-ring-deployment-group-policy-network-share.md#setting-up-the-pilot-environment) or software management solutions.
+- Apply updates at a lower frequency for critical systems. Daily releases can be applied at a lower frequency for certain device groups, including servers critical to running your infrastructure.
+- Use [rollback controls](microsoft-defender-antivirus-updates.md#how-to-roll-back-an-update) to revert or reset components to a last known good state.
+
+## Related articles
+
+- [microsoft-defender-antivirus-ring-deployment](microsoft-defender-antivirus-ring-deployment.md)
+- [manage-protection-updates-microsoft-defender-antivirus](manage-protection-updates-microsoft-defender-antivirus.md)
+- [microsoft-defender-antivirus-updates](microsoft-defender-antivirus-updates.md)
+- [mac-updates](mac-updates.md)
+- [linux-support-offline-security-intelligence-update](linux-support-offline-security-intelligence-update.md)

defender-endpoint/mde-sdp-strategy.md

@@ -98,6 +98,22 @@ All our updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### August-2024 (Platform: 4.18.24080.9 | Engine: 1.1.24080.9)
+
+- Security intelligence update version: **1.419.1.0**
+- Release date: **September 17, 2024** (Engine and Platform)
+- Platform: **4.18.24080.9**
+- Engine: **1.1.24080.9**
+- Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Added a new parameter to get-mppreference cmdlet (ControlledFolderAccessDefaultProtectedFolders) to show default protected folders for Controlled Folder Access (CFA).
+- Fixed an issue with Device Control regarding printer security checks.
+- Resolved an issue with platform rollback after an upgrade from Windows 10 to 11.
+- Fixed an issue where volume exclusions weren't properly enforced in real-time protection after the completion of OOBE.
+- Removed support for Windows RT devices, for example, Surface RT, that use 32-bit ARM processors and have reached their end-of-servicing date.
+
 ### July-2024 (Platform: 4.18.24070.5 | Engine: 1.1.24070.3)
 
 - Security intelligence update version: **1.417.14.0**

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -71,7 +71,7 @@ There are several methods and deployment tools that you can use to install and c
 
 The three most recent major releases of macOS are supported.
 
-- 14 (Sonoma), 13 (Ventura), 12 (Monterey)
+- 15 (Sequoia), 14 (Sonoma), 13 (Ventura), 12 (Monterey)
 
   > [!IMPORTANT]
   > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md).

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -2,8 +2,8 @@
 title: Supported Microsoft Defender for Endpoint capabilities by platform
 description: Get to know the Microsoft Defender for Endpoint capabilities supported for Windows 10 devices, servers, and non-Windows devices.
 ms.service: defender-endpoint
-ms.author: siosulli
-author: siosulli
+ms.author: deniseb
+author: denisebmsft
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 07/17/2024
+ms.date: 09/18/2024
 ---
 
 # Supported Microsoft Defender for Endpoint capabilities by platform
@@ -58,7 +58,7 @@ The following table gives information about the supported Microsoft Defender for
 |[Device response capabilities: collect investigation package ](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) <sup>[3]</sup>       |  ![Yes.](media/svg/check-yes.svg) <sup>[3]</sup>        |
 |[Device response capabilities: run antivirus scan](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)        |  ![Yes.](media/svg/check-yes.svg)         |
 |[Device isolation](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)    |
-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![No](media/svg/check-no.svg)       |  ![No](media/svg/check-no.svg)     |
+|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) <sup>[6]</sup> |  ![Yes.](media/svg/check-yes.svg) <sup>[6]</sup> |
 |[Live Response](live-response.md)       | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg) |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)      |
 
 <sup>[1]</sup> Refers to the modern, unified solution for Windows Server 2012 R2 and Windows Server 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
@@ -71,6 +71,8 @@ The following table gives information about the supported Microsoft Defender for
 
 <sup>[5]</sup> Endpoint & network device discovery is supported on Windows Server 2019 or later, Windows 10, and Windows 11
 
+<sup>[6]</sup> Collect file feature is currently in preview ([Microsoft Defender for Endpoint preview features](/defender-xdr/preview)).  Currently does not support "Deep analysis" or "Block file, stop, and quarantine process".
+
 > [!NOTE]
 > Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and antivirus using System Center Endpoint Protection (SCEP).
 

defender-endpoint/supported-capabilities-by-platform.md

@@ -43,15 +43,15 @@ The key device discovery capabilities are:
 
 |Capability|Description|
 |---|---|
-|OT device management|[Manage OT devices](manage-devices-inventory.md):<br>- Build an up-to-date inventory that includes all your managed and unmanaged devices.<br>- Classify critical devices to ensure that the most important assets in your organization are protected.<br>- Add organization-specific information to emphasize your organization preferences.|
+|OT device management|[Manage OT devices](manage-devices-inventory.md):<br>- Build an up-to-date inventory that includes all your managed and unmanaged devices.<br>- Discover your organization Building Management Systems (BMS) devices such as **Motion detector**, **Fire Alarm**, and **Elevators**.<br>- Classify critical devices to ensure that the most important assets in your organization are protected.<br>- Add organization-specific information to emphasize your organization preferences.|
 |Device protection with risk-based approach|Identify risks such as missing patches, vulnerabilities and prioritize fixes based on risk scoring and automated threat modeling.|
 |Device alignment with physical sites|Allows contextual security monitoring. Use the **Site** filter to manage each site separately. Learn more about [filters](/defender-endpoint/machines-view-overview#use-filters-to-customize-the-device-inventory-views).|
 |Device groups|Allows different teams in your organization to monitor and manage relevant assets only. Learn more about [creating a device group](/defender-endpoint/machine-groups#create-a-device-group).|
 |Device criticality|Reflects how critical a device is for your organization and allows you to identify a device as a business critical asset. Learn more about [device criticality](/defender-endpoint/machines-view-overview#device-inventory-overview).|
 
 ## Supported devices
 
-Defender for IoT's device inventory supports the following device classes:
+Defender for IoT's device inventory supports the following device categories:
 
 |Devices|Example|
 |---|---|
@@ -60,10 +60,12 @@ Defender for IoT's device inventory supports the following device classes:
 |**Health care**|Glucose meters, monitors|
 |**Transportation / Utilities**|Turnstiles, people counters, motion sensors, fire and safety systems, intercoms|
 |**Energy and resources**|DCS controllers, PLCs, historian devices, HMIs|
-|**Endpoint devices**|Workstations, servers, or mobile devices|
-|**Enterprise**|Smart devices, printers,  communication devices, or audio/video devices|
 |**Retail**|Barcode scanners, humidity sensor, punch clocks|
 
+For Enterprise device discovery information, see [Enterprise device discovery](/defender-for-iot/enterprise-iot).
+
+For Endpoint device discovery information, see [Endpoint device discovery](/defender-endpoint/device-discovery).
+
 ### Identified, unique devices
 
 Defender for IoT can discover all devices, of any type, across all environments. Devices are listed in the Defender for IoT **Device inventory** pages based on a unique IP and MAC address coupling.
@@ -72,8 +74,8 @@ Defender for IoT identifies single and unique devices as follows:
 
 |Type  |Description  |
 |---------|---------|
-|**Identified as individual devices**     |    Devices identified as *individual* devices include:<br>**IT, OT, or IoT devices with one or more NICs**, including network infrastructure devices such as switches and routers<br><br>**Note**: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.|
-|**Not identified as individual devices**     | The following items *aren't* considered as individual devices, and do not count against your license:<br><br>- **Public internet IP addresses** <br>- **Multi-cast groups**<br>- **Broadcast groups**<br>- **Inactive devices**<br><br> Network-monitored devices are marked as *inactive* when there's no network activity detected within a specified time:<br><br> - **OT networks**: No network activity detected for more than 60 days<br> - **Enterprise IoT networks**: No network activity detected for more than 30 days<br><br>**Note**: Endpoints already managed by Defender for Endpoint are not considered as separate devices by Defender for IoT.  |
+|**Identified as individual devices**     |    Devices identified as *individual* devices include:<br>**OT or BMS unmanaged devices with one or more NICs**, including network infrastructure devices such as switches and routers<br><br>**Note**: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.|
+|**Not identified as individual devices**     | The following items *aren't* considered as individual devices, and don't count against your license:<br><br>- **Public internet IP addresses** <br>- **Multi-cast groups**<br>- **Broadcast groups**<br>- **Inactive devices**<br><br> Network-monitored devices are marked as *inactive* when there's no network activity detected within a specified time:<br><br> - **OT networks**: No network activity detected for more than 60 days<br><br>**Note**: Endpoints already managed by Defender for Endpoint aren't considered as separate devices by Defender for IoT.  |
 
 ## Next steps
 

defender-for-iot/device-discovery.md

@@ -21,7 +21,7 @@ In this article you'll learn how to add enterprise IoT to your Microsoft Defende
 
 ## Prerequisites
 
-Make sure that you have:
+Before you start, you need:
 
 - IoT devices in your network, visible in the Microsoft Defender portal **Device inventory**
 

defender-for-iot/enterprise-iot-get-started.md

@@ -25,7 +25,7 @@ Before you start, you need:
 
     For more information, see [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses) and [About admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
 
-- A Microsoft 365 E5/ Defender for Endpoint Plan 2/ E5 security license.
+- A Microsoft 365 E5 or E5 security license or a Defender for Endpoint P2 license.
 
 - Microsoft Defender for Endpoint agents deployed in your environment. For more information, see [onboard Microsoft Defender for Endpoint](/defender-endpoint/onboarding).
 

defender-for-iot/prerequisites.md

@@ -16,6 +16,20 @@ This article describes features available in Microsoft Defender for IoT in the D
 
 [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
 
+## September 2024
+
+|Service area  |Updates  |
+|---------|---------|
+| **OT networks** | - [New Device Category Added – Building Management Systems (BMS)](#new-device-category-added--building-management-systems-bms) |
+
+### New Device Category Added – Building Management Systems (BMS)
+
+A new BMS device category has been added to the MDIoT license aiming to improve BMS device discovery and security. The BMS category includes a subset of Smart Facility and Surveillance devices (previously under the IoT category) such as fire alarms, humidity sensors, security radars, etc. These devices now require an Microsoft Defender for IoT site-based license for full protection.
+
+Cameras devices will remain under the IoT category.
+
+For more information, see [overview of device discovery](device-discovery.md).
+
 ## July 2024
 
 |Service area  |Updates  |