Merge branch 'main' into docs-editor/schedule-antivirus-scans-power-1745624973

Author: emmwalshh

CloudAppSecurityDocs/caac-known-issues.md

@@ -54,6 +54,9 @@ Session policies don't protect external business-to-business (B2B) collaboration
 ## Session Controls with Non-Interactive Tokens
 Some applications utilize non-interactive access tokens to facilitate seamless redirection between apps within the same suite or realm. When one application is onboarded to Conditional Access App Control and the other is not, session controls may not be enforced as expected. For example, if the Teams client retrieves a non-interactive token for SharePoint Online (SPO), it can initiate an active session in SPO without prompting the user for reauthentication. As a result, the session control mechanism cannot intercept or enforce policies on these sessions. To ensure consistent enforcement, it's recommended to onboard all relevant applications, such as Teams, alongside SPO. 
 
+## IPv6 limitations
+Access and session policies support IPv4 only. If a request is made over IPv6, IP-based policy rules are not applied. This limitation applies when using both reverse proxy and Edge in-browser protection.
+
 ## Limitations for sessions that the reverse proxy serves
 
 The following limitations apply only on sessions that the reverse proxy serves. Users of Microsoft Edge can benefit from in-browser protection instead of using the reverse proxy, so these limitations don't affect them.
@@ -98,6 +101,7 @@ The following table lists example results when you define the **Block upload of
 
 The following limitations apply only on sessions that are served with Edge in-browser protection.
 
+
 ### Deep link is lost when user switches to Edge by clicking 'Continue in Edge'  
 
 A user who starts a session in a browser other than Edge, is prompted to switch to Edge by clicking the ‘Continue in Edge’ button.

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -21,6 +21,9 @@ Microsoft Defender for Cloud Apps collects information from your configured clou
 - System settings and policies
 - User and group configurations
 
+> [!NOTE]
+> The data collected from the various applications is dependent on the customer-provided data from the various applications and may include personal information.
+
 ## Data storage location
 
 Defender for Cloud Apps operates in the Microsoft Azure data centers in the following geographical regions: 

CloudAppSecurityDocs/mde-govern.md

@@ -120,7 +120,8 @@ To block an app, do the following steps:
 > - Any organizational scoping that was set manually on indicators that were created by Defender for Cloud Apps before the release of this feature will be overridden by Defender for Cloud Apps. The required scoping should be set from the Defender for Cloud Apps experience using the scoped profiles experience.
 > - To remove a selected scoping profile from an unsanctioned app, remove the unsanctioned tag and then tag the app again with the required scoped profile.
 > - It can take up to two hours for app domains to propagate and be updated in the endpoint devices once they're marked with the relevant tag or/and scoping.
-> - When an app is tagged as *Monitored*, the option to apply a scoped profile shows only if the built-in *Win10 Endpoint Users* data source has consistently recieved data during the past 30 days.
+> - When an app is tagged as *Monitored*, the option to apply a scoped profile shows only if the built-in *Win10 Endpoint Users* data source has consistently received data during the past 30 days.
+> - Device groups in Microsoft Defender for Business(MDB) are managed differently. Due to this- No device groups will appear in MDA device groups for customers with MDB license.
 
 ## Educate users when accessing risky apps
 

CloudAppSecurityDocs/protect-github.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your GitHub Enterprise environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your GitHub Enterprise app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 04/27/2025
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your GitHub Enterprise environment
@@ -85,10 +85,6 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
 
 1. **Create an OAuth App for Defender for Cloud Apps to connect your GitHub organization.** Repeat this step for each additional connected organization.
 
-    > [!NOTE]
-    > If you have [preview features](/microsoft-365/security/defender/preview) and [app governance turned on](app-governance-get-started.md), use the **App governance** page instead of the **OAuth apps** page to perform this procedure.
-    >
-
 1. Browse to **Settings** > **Developer settings**, select  **OAuth Apps**, and then select **Register an application**. Alternatively, if you have existing OAuth apps, select **New OAuth App**.
 
     ![Screenshot showing creating an oauth app.](media/connect-github-create-oauth-app.png)
@@ -129,8 +125,8 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
 
    1. Select the **GitHub Profile picture** -> **your enterprises**.
    1. Select **your enterprise account** and choose the account you want to connect to Microsoft Defender for Cloud Apps.
-   1. Confirm that the URL is the enterprise slug. For instance, in this example `https://github.com/enterprises/testEnterprise` *testEnterprise* is the enterprise slug. Enter only the enterprise slug, not the entire URL.
-
+   1. Confirm that the URL contains the enterprise slug. For instance, `https://github.com/enterprises/testEnterprise` 
+   2. Enter only the enterprise slug, not the entire URL. In this example, *testEnterprise* is the enterprise slug.
 1. Select **Next**.
 
 1. Select **Connect GitHub**.

CloudAppSecurityDocs/protect-servicenow.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 12/12/2024
+ms.date: 04/28/2025
 ms.topic: how-to
 ---
 
@@ -152,14 +152,15 @@ For more information, see the [ServiceNow product documentation](https://docs.se
 
    1. Select **Update**.
 
-1. Establish an internal procedure to ensure that the connection remains alive. A couple of days before the expected expiration of the refresh token lifespan.
-Revoke to the old refresh token. We don't recommend keeping old keys for security reasons.
-
-    1. On the ServiceNow pane, search for **System OAuth**, and then select **Manage Tokens**.
-
+1. Establish an internal procedure to ensure that the connection remains active.
+    1. Before the expected expiration of the refresh token, revoke the old refresh token.
+    1. In the ServiceNow portal, search for **System OAuth**, and then select **Manage Tokens**.
     1. Select the old token from the list according to the OAuth name and expiration date.
-
     1. Select **Revoke Access > Revoke**.
+    1. In the Microsoft Defender Portal edit the existing connector, using the same client ID and client secret. This will generate a new refresh token. 
+
+    > [!NOTE]
+    > This is a recurring process every 90 days. Without this, the ServiceNow connection will stop working.
       
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.
 

CloudAppSecurityDocs/troubleshooting-proxy-url.md

@@ -20,7 +20,7 @@ For example, Contoso protects its environment using conditional access app contr
 So even though Fabrikam doesn't actually use Defender for Cloud Apps, they see the DNS entry or certificate because Contoso does.
 
 > [!NOTE]
-> You may also see the following domains in the transparency logs:
+> You might also see the following domains in the transparency logs:
 >
 > - `*.admin-rs-mcas.ms`
 > - `*.rs-mcas.ms`
@@ -39,11 +39,12 @@ So even though Fabrikam doesn't actually use Defender for Cloud Apps, they see t
 > - `*.admin-mcas-gov-df.ms`
 > - `*.mcas-gov-df.ms`
 
+
 ## Here's why you see `*.mcas.ms`, `*.mcas-gov.us`, or `*.mcas-gov.ms` in your URL
 
 This kind of URL is expected and indicates that your organization applies extra security controls to protect business-critical data.
 
-They do this by using Defender for Cloud Apps, a solution for protecting your organization's cloud environment, to replace all relevant URLs and cookies relating to cloud apps that you use.
+They do this by using Defender for Cloud Apps, a solution for protecting your organization's cloud environment, to replace all relevant URLs, and cookies relating to cloud apps that you use.
 
 So when you try accessing a cloud app such as Salesforce, SharePoint Online, or AWS, you notice that its URL is suffixed with `.mcas.ms`, `.mcas-gov.us`, or `.mcas-gov.ms`. For example, when using the XYZ app, the URL you're used to seeing changes from `XYZ.com` to `XYZ.com.mcas.ms`.
 
@@ -52,10 +53,11 @@ If the URL doesn't exactly match one of the replacement patterns, such as `<app_
 If you don't recognize the remaining portion of the URL, such as **myurl.com**.mcas.ms, as associated with any of your business apps, we recommend that you investigate the issue further and consider blocking the URL to avoid any potential security risks.
 
 > [!NOTE]
-> Microsoft Edge users benefit from in-browser protection, and are not redirected to a reverse proxy. Your URLs retain their original syntax in Microsoft Edge, even when access and sessions are protected by Defender for Cloud Apps. For more information, see [In-browser protection with Microsoft Edge for Business (Preview)](in-browser-protection.md).
+> Microsoft Edge users benefit from in-browser protection, and aren't redirected to a reverse proxy. Your URLs retain their original syntax in Microsoft Edge, even when access and sessions are protected by Defender for Cloud Apps. For more information, see [In-browser protection with Microsoft Edge for Business (Preview)](in-browser-protection.md).
 
 ## Related content
 
+- [Known limitations in Conditional Access app control](caac-known-issues.md)
 - [Protect apps with Microsoft Defender for Cloud Apps Conditional Access app control](proxy-intro-aad.md)
 - [Troubleshooting access and session controls for admin users](troubleshooting-proxy.md)
-- [Troubleshooting access and session controls for end-users](troubleshooting-proxy-end-users.md)
+- [Troubleshooting access and session controls for end-users](troubleshooting-proxy-end-users.md)

defender-endpoint/behavior-monitor.md

@@ -10,7 +10,7 @@ ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 03/25/2025
+ms.date: 04/29/2025
 search.appverid: met150
 ---
 
@@ -69,7 +69,7 @@ The following table shows the different ways to configure behavior monitoring.
 | CSP | AllowBehaviorMonitoring | [Defender Policy CSP](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection)   |
 | Configuration Manager Tenant Attach | Turn on behavior monitoring | [Windows Antivirus policy settings from Microsoft Defender Antivirus for tenant attached devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows-tenant-attach#real-time-protection) |
 | Group Policy | Turn on behavior monitoring | [Download Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2)](https://www.microsoft.com/download/details.aspx?id=105668)   |
-| PowerShell | Set-Preference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
+| PowerShell | Set-MpPreference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
 | WMI | boolean  DisableBehaviorMonitoring;  | [MSFT\_MpPreference class](/previous-versions/windows/desktop/defender/msft-mppreference) |
 
 If you use Microsoft Defender for Business, see [Review or edit your next-generation protection policies in Microsoft Defender for Business](/defender-business/mdb-next-generation-protection).

defender-endpoint/mde-linux-prerequisites.md

@@ -68,10 +68,14 @@ For detailed licensing information, see [Product Terms: Microsoft Defender for E
 
 The following Linux server distributions and x64 (AMD64/EM64T) versions are supported:
 
-- Red Hat Enterprise Linux 7.2 or higher 
+- Red Hat Enterprise Linux 7.2 and higher 
+
 - Red Hat Enterprise Linux 8.x 
 - Red Hat Enterprise Linux 9.x 
-- CentOS 7.2 or higher, excluding CentOS Stream 
+- CentOS 7.2 and higher, excluding CentOS Stream 
+
+- CentOS 8.x
+
 - Ubuntu 16.04 LTS 
 - Ubuntu 18.04 LTS 
 - Ubuntu 20.04 LTS 
@@ -80,7 +84,8 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 - Debian 9 - 12 
 - SUSE Linux Enterprise Server 12.x 
 - SUSE Linux Enterprise Server 15.x 
-- Oracle Linux 7.2 or higher 
+- Oracle Linux 7.2 and higher 
+
 - Oracle Linux 8.x 
 - Oracle Linux 9.x 
 - Amazon Linux 2 
@@ -174,13 +179,6 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 - For RHEL6 the mdatp RPM package requires `policycoreutils`, `libselinux`, and `mde-netfilter`.
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, and `mde-netfilter`.
 
-> [!NOTE]
-> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or older, the following additional dependency on the auditd package exists for mdatp:
-> - The mdatp RPM package requires `audit`, `semanage`.
-> - For DEBIAN, the mdatp package requires `auditd`.
-> - For Mariner, the mdatp package requires `audit`.
-
 The `mde-netfilter` package also has the following package dependencies:
 
 - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`

defender-endpoint/uefi-scanning-in-defender-for-endpoint.md

@@ -26,7 +26,7 @@ Recently, Microsoft Defender for Endpoint extended its protection capabilities t
 
 Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that's hard to detect, posing a significant risk to an organization's security posture.
 
-[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like [hypervisor-level attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows), also known as Dynamic Root of Trust (DRTM), which are enabled by default in [Secured-core PCs](https://www.microsoft.com/windowsforbusiness/windows10-secured-core-computers). The new UEFI scan engine in Defender for Endpoint expands on these protections by making firmware scanning broadly available.
+[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like [hypervisor-level attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows), also known as Dynamic Root of Trust (DRTM), which are enabled by default in [Secured-core PCs](https://www.microsoft.com/windows/business/windows-11-secured-core-computers). The new UEFI scan engine in Defender for Endpoint expands on these protections by making firmware scanning broadly available.
 
 The UEFI scanner is a new component of the [built-in antivirus](microsoft-defender-antivirus-windows.md) solution on Windows 10 and newer versions, and gives Defender for Endpoint the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Defender for Endpoint.
 
@@ -108,7 +108,7 @@ AlertStats
 
 The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered security solutions at the OS level.
 
-Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers), seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint protection.
+Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in [Secured-core PCs](https://www.microsoft.com/windows/business/windows-11-secured-core-computers), seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint protection.
 
 With its UEFI scanner, [Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Defender for Endpoint, to investigate and contain such advanced attacks.