Merge branch 'main' into siosulli-patch-2

Author: siosulli

defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md

@@ -3,7 +3,7 @@ title: Configure custom exclusions for Microsoft Defender Antivirus
 description: You can exclude files (including files modified by specified processes) and folders from Microsoft Defender Antivirus scans.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 01/02/2024
+ms.date: 09/13/2024
 author: siosulli
 ms.author: siosulli
 ms.custom: nextgen
@@ -59,9 +59,11 @@ If you're using another tool, such as Configuration Manager or Group Policy, or
 
 3. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
 
-   - **Excluded Extensions** are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a `|` character. For example, `lib|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions).
-   - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `|` character. For example, `C:\Example|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).
-   - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list with a `|` character. For example, `C:\Example. exe|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).
+   - **Excluded Extensions** are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list, with one file type per line. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions).
+
+   - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list, with one path per line. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).
+
+   - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list, with one file type per line. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).
 
 4. Choose **Review + save**, and then choose **Save**.
 
@@ -78,8 +80,10 @@ If you're using another tool, such as Configuration Manager or Group Policy, or
 5. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
 
    - **Excluded Extensions** are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a `|` character. For example, `lib|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions).
-   - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `|` character. For example, `C:\Example|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).
-   - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list with a `|` character. For example, `C:\Example. exe|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).
+
+   - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list, with one path per line. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).
+   
+   - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list, with one file type per line. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).
 
 6. On the **Scope tags** tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See [Scope tags](/mem/intune/fundamentals/scope-tags).)
 
@@ -91,9 +95,9 @@ If you're using another tool, such as Configuration Manager or Group Policy, or
 
 Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious.
 
-Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate, or inspect events related to the files, folders, or processes that are added to the exclusion list. Custom exclusions can affect features that are directly dependent on the antivirus engine (such as protection against malware, [file IOCs](indicator-file.md), and [certificate IOCs](indicator-certificates.md)). Process exclusions also affect [network protection](network-protection.md) and [attack surface reduction rules](attack-surface-reduction.md). Specifically, a process exclusion on any platform causes network protection and ASR to be unable to inspect traffic or enforce rules for that specific process.
+Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate, or inspect events related to the files, folders, or processes that are added to the exclusion list. Custom exclusions can affect features that are directly dependent on the antivirus engine (such as protection against malware, [file IOCs](indicator-file.md), and [certificate IOCs](indicator-certificates.md)). Process exclusions also affect [network protection](network-protection.md) and [attack surface reduction rules](attack-surface-reduction.md). Specifically, a process exclusion on any platform causes network protection and attack surface reduction capabilities to be unable to inspect traffic or enforce rules for that specific process.
 
-Keep the following points in mind when you're defining exclusions:
+Remember these important points:
 
 - Exclusions are technically a protection gap. Consider all your options when defining exclusions. See [Submissions, suppressions, and exclusions](defender-endpoint-antivirus-exclusions.md#submissions-suppressions-and-exclusions).
 
@@ -121,4 +125,4 @@ If exclusions can't be removed for the Exchange processes and folders, keep in m
 - [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md)
 - [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md)
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/mac-whatsnew.md

@@ -41,9 +41,9 @@ Apple fixed an issue on macOS [Ventura upgrade](https://developer.apple.com/docu
 
 In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
 
-**Sonoma support**
+**Sequoia support**
 
-Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
+Microsoft Defender supports macOS Sequoia (15) in the current Defender release.
 
 **macOS Deprecation**
 

defender-endpoint/manage-gradual-rollout.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 01/12/2024
+ms.date: 09/13/2024
 ---
 
 # Manage the gradual rollout process for Microsoft Defender updates
@@ -95,7 +95,7 @@ You can also assign a machine to a channel to define the cadence in which it rec
 |Channel name|Description|Application|
 |---|---|---|
 |Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
-|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates.|
+|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates after the gradual release cycle. Suggested to apply to a broad set of devices in your production population. Note: this setting applies to all Defender updates.|
 |(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.|
 
 > [!NOTE]

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -71,7 +71,7 @@ There are several methods and deployment tools that you can use to install and c
 
 The three most recent major releases of macOS are supported.
 
-- 14 (Sonoma), 13 (Ventura), 12 (Monterey)
+- 15 (Sequoia), 14 (Sonoma), 13 (Ventura), 12 (Monterey)
 
   > [!IMPORTANT]
   > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md).

defender-for-iot/device-discovery.md

@@ -43,15 +43,15 @@ The key device discovery capabilities are:
 
 |Capability|Description|
 |---|---|
-|OT device management|[Manage OT devices](manage-devices-inventory.md):<br>- Build an up-to-date inventory that includes all your managed and unmanaged devices.<br>- Classify critical devices to ensure that the most important assets in your organization are protected.<br>- Add organization-specific information to emphasize your organization preferences.|
+|OT device management|[Manage OT devices](manage-devices-inventory.md):<br>- Build an up-to-date inventory that includes all your managed and unmanaged devices.<br>- Discover your organization Building Management Systems (BMS) devices such as **Motion detector**, **Fire Alarm**, and **Elevators**.<br>- Classify critical devices to ensure that the most important assets in your organization are protected.<br>- Add organization-specific information to emphasize your organization preferences.|
 |Device protection with risk-based approach|Identify risks such as missing patches, vulnerabilities and prioritize fixes based on risk scoring and automated threat modeling.|
 |Device alignment with physical sites|Allows contextual security monitoring. Use the **Site** filter to manage each site separately. Learn more about [filters](/defender-endpoint/machines-view-overview#use-filters-to-customize-the-device-inventory-views).|
 |Device groups|Allows different teams in your organization to monitor and manage relevant assets only. Learn more about [creating a device group](/defender-endpoint/machine-groups#create-a-device-group).|
 |Device criticality|Reflects how critical a device is for your organization and allows you to identify a device as a business critical asset. Learn more about [device criticality](/defender-endpoint/machines-view-overview#device-inventory-overview).|
 
 ## Supported devices
 
-Defender for IoT's device inventory supports the following device classes:
+Defender for IoT's device inventory supports the following device categories:
 
 |Devices|Example|
 |---|---|
@@ -60,10 +60,12 @@ Defender for IoT's device inventory supports the following device classes:
 |**Health care**|Glucose meters, monitors|
 |**Transportation / Utilities**|Turnstiles, people counters, motion sensors, fire and safety systems, intercoms|
 |**Energy and resources**|DCS controllers, PLCs, historian devices, HMIs|
-|**Endpoint devices**|Workstations, servers, or mobile devices|
-|**Enterprise**|Smart devices, printers,  communication devices, or audio/video devices|
 |**Retail**|Barcode scanners, humidity sensor, punch clocks|
 
+For Enterprise device discovery information, see [Enterprise device discovery](/defender-for-iot/enterprise-iot).
+
+For Endpoint device discovery information, see [Endpoint device discovery](/defender-endpoint/device-discovery).
+
 ### Identified, unique devices
 
 Defender for IoT can discover all devices, of any type, across all environments. Devices are listed in the Defender for IoT **Device inventory** pages based on a unique IP and MAC address coupling.
@@ -72,8 +74,8 @@ Defender for IoT identifies single and unique devices as follows:
 
 |Type  |Description  |
 |---------|---------|
-|**Identified as individual devices**     |    Devices identified as *individual* devices include:<br>**IT, OT, or IoT devices with one or more NICs**, including network infrastructure devices such as switches and routers<br><br>**Note**: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.|
-|**Not identified as individual devices**     | The following items *aren't* considered as individual devices, and do not count against your license:<br><br>- **Public internet IP addresses** <br>- **Multi-cast groups**<br>- **Broadcast groups**<br>- **Inactive devices**<br><br> Network-monitored devices are marked as *inactive* when there's no network activity detected within a specified time:<br><br> - **OT networks**: No network activity detected for more than 60 days<br> - **Enterprise IoT networks**: No network activity detected for more than 30 days<br><br>**Note**: Endpoints already managed by Defender for Endpoint are not considered as separate devices by Defender for IoT.  |
+|**Identified as individual devices**     |    Devices identified as *individual* devices include:<br>**OT or BMS unmanaged devices with one or more NICs**, including network infrastructure devices such as switches and routers<br><br>**Note**: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.|
+|**Not identified as individual devices**     | The following items *aren't* considered as individual devices, and don't count against your license:<br><br>- **Public internet IP addresses** <br>- **Multi-cast groups**<br>- **Broadcast groups**<br>- **Inactive devices**<br><br> Network-monitored devices are marked as *inactive* when there's no network activity detected within a specified time:<br><br> - **OT networks**: No network activity detected for more than 60 days<br><br>**Note**: Endpoints already managed by Defender for Endpoint aren't considered as separate devices by Defender for IoT.  |
 
 ## Next steps
 

defender-for-iot/enterprise-iot-get-started.md

@@ -21,7 +21,7 @@ In this article you'll learn how to add enterprise IoT to your Microsoft Defende
 
 ## Prerequisites
 
-Make sure that you have:
+Before you start, you need:
 
 - IoT devices in your network, visible in the Microsoft Defender portal **Device inventory**
 

defender-for-iot/license-overview.md

@@ -9,32 +9,32 @@ ms.date: 08/01/2024
 ms.topic: overview
 ---
 
-# How the site-based license model works
+# The site-based license model
 
-The site-based license model offers a simplified approach to licensing by providing coverage for entire sites rather than individual devices. Customers can purchase annual licenses for their operational sites where Operational Technology (OT) devices are deployed, and receive security coverage for all devices within the site.  
+Our site-based license model streamlines your licensing needs by covering entire sites instead of individual devices. With this model, you can purchase annual licenses for your operational sites where Operational Technology (OT) devices are deployed. This ensures comprehensive security coverage for all devices within each site.
 
 [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
 
-## What defines a site?
+## Sites in Defender for IoT
 
 A site refers to a logical grouping of devices within your organization. It represents a specific physical location, such as a manufacturing facility, campus, office building, hospital, rig, or any other relevant site.
 
-## What are the different OT site-based licenses?
+## OT site-based licenses
 
 Licenses come in five different sizes, based on the number of devices at the site. The licenses range from the smallest tier that covers up to 100 devices per site, to the largest tier, which secures up to 5000 devices per site. For more information, see [license sizing details](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-iot-pricing#xfb84a030eec341cb84a6165f393e928a).
 
 The size of a site is determined by the maximum number of devices per site. Billing is based on the license tier, regardless of the number of devices actually discovered.
 
-## What if I need to change the number of devices for a site after making a purchase?  
+## Adjust the number of devices for a site
 
-Once a license is purchased, the number of devices cannot be adjusted until the renewal period. During the annual license renewal, you change to a different license tier for a site based on your updated discovered device count.
+Once a license is purchased, the number of devices can only be adjusted at the renewal period. During the annual license renewal, you can change to a different license tier for a site based on your updated discovered device count.
 
-## How to choose a license and assess the number of devices on-site?
+## Assess the number of devices at a site
 
 There are two methods for assessing the number of devices at your site. You could either utilize your OT network monitoring tools to detect and count the devices per site, or use previous knowledge of the number of devices at the site and update the license during the annual license renewal if needed.
 
 > [!Note]
-> All types of devices, both OT and IT, identified on your site should be included in the license. This includes endpoints managed by Microsoft Defender for Endpoint and devices detected by the Microsoft Defender for IoT sensors.
+> The license should cover all types of devices identified on your site, including both OT and IT devices. This includes endpoints managed by Microsoft Defender for Endpoint.
 
 ## Next steps
 

defender-for-iot/prerequisites.md

@@ -25,7 +25,7 @@ Before you start, you need:
 
     For more information, see [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses) and [About admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
 
-- A Microsoft 365 E5/ Defender for Endpoint Plan 2/ E5 security license.
+- A Microsoft 365 E5 or E5 security license or a Defender for Endpoint P2 license.
 
 - Microsoft Defender for Endpoint agents deployed in your environment. For more information, see [onboard Microsoft Defender for Endpoint](/defender-endpoint/onboarding).