Merge branch 'main' into patch-4

Author: chrisda

defender-endpoint/assign-portal-access.md

@@ -13,7 +13,7 @@ ms.collection:
 - m365-security
 - tier2
 ms.topic: conceptual
-ms.date: 06/25/2024
+ms.date: 01/28/2025
 ---
 
 # Assign user access 
@@ -36,18 +36,22 @@ Defender for Endpoint supports two ways to manage permissions:
 
 - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
 
+> [!IMPORTANT]
+> Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC).
+> Existing customers keep their current roles and permissions. For more information, see URBAC [Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint](/defender-xdr/manage-rbac).
+
 ## Change from basic permissions to RBAC
 
-If you have already assigned basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:
+If you have basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:
 
-- Users who have full access (users who are assigned either the Global Administrator or Security Administrator directory role in Microsoft Entra ID) are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
+- Users who have full access are automatically assigned the default Defender for Endpoint administrator role.
 - Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.
 - Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC. 
-- Users who have read-only access (Security Readers) lose access to the portal until they are assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.
+- Users who have read-only access (Security Readers) lose access to the portal until they're assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.
 - After switching to RBAC, you can't switch back to using basic permissions management.
 
 > [!IMPORTANT]
-> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+> Microsoft recommends that you use roles with the fewest permissions as it helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ## Related articles
 

defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md

@@ -9,7 +9,7 @@ ms.custom: nextgen
 ms.reviewer: pahuijbr
 manager: deniseb
 ms.subservice: ngp
-ms.date: 12/26/2024
+ms.date: 02/18/2025
 ms.collection: 
 - m365-security
 - tier2
@@ -34,46 +34,49 @@ For more information, see [Configure device restriction settings in Microsoft In
 
 ## Use Microsoft Configuration Manager to configure scanning options
 
-For details on configuring Microsoft Configuration Manager (current branch), see [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings).
+For details on configuring Microsoft Configuration Manager (current branch), see [How to create and deploy anti-malware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings).
 
 ## Use Group Policy to configure scanning options
 
 > [!TIP]
-> Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows. You can configure refer to the spreadsheet when you edit Group Policy Objects. Here are the most recent versions:
+> Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered for Windows. Refer to the spreadsheet when you edit Group Policy Objects. Here are the most recent versions:
 > - [Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/details.aspx?id=101451)
 > - [Group Policy Settings Reference Spreadsheet for Windows 11 October 2021 Update (21H2)](https://www.microsoft.com/download/details.aspx?id=103506)
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
 
 2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
 
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
 
 4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**, and then select a location (refer to [Settings and locations](#settings-and-locations) in this article).
 
 5. Edit the policy object.
 
-6. Click **OK**, and repeat for any other settings.
+6. Select **OK**, and repeat for any other settings.
 
 ### Settings and locations
 
 |Policy item and location|Default setting <br/>(if not configured)|PowerShell `Set-MpPreference` parameter <br/>or WMI property for `MSFT_MpPreference` class|
 |---|---|---|
-|Email scanning <br/> **Scan** \> **Turn on e-mail scanning**<br/>See [Email scanning limitations](#email-scanning-limitations) (in this article)|Disabled|`-DisableEmailScanning`|
-| Script scanning | Enabled  | This policy setting allows you to configure script scanning. If you enable or do not configure this setting, script scanning is enabled. <br/><br/>See [Defender/AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender)  | 
-|Scan [reparse points](/windows/win32/fileio/reparse-points) <br/> **Scan** \> **Turn on reparse point scanning**|Disabled|Not available <br/>See [Reparse points](/windows/win32/fileio/reparse-points)|
-|Scan mapped network drives<br/>**Scan** \> **Run full scan on mapped network drives**|Disabled|`-DisableScanningMappedNetworkDrivesForFullScan`|
-|Scan archive files (such as .zip or .rar files). <br/>**Scan** \> **Scan archive files**|Enabled|`-DisableArchiveScanning` <br/><br/>The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting.|
-|Scan files on the network <br/>**Scan** \> **Scan network files**|Disabled|`-DisableScanningNetworkFiles`|
-|Scan packed executables<br/>**Scan** \> **Scan packed executables**|Enabled|Not available <br/><br/>Scan packed executables were removed from the following templates:<br/>- Administrative Templates (.admx) for Windows 11 2023 Update (23H2)<br/>- Administrative Templates (.admx) for Windows 11 2022 Update (22H2) - v3.0 <br/>- Administrative Templates (.admx) for Windows 11 2022 Update (22H2)<br/>- Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)|
-|Scan removable drives during full scans only<br/>**Scan** \> **Scan removable drives**|Disabled|`-DisableRemovableDriveScanning`|
-|Specify the level of subfolders within an archive folder to scan <p>**Scan** \> **Specify the maximum depth to scan archive files**|0|Not available|
-|Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** \> **Specify the maximum percentage of CPU utilization during a scan**|50|`-ScanAvgCPULoadFactor`<br/><br/> The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manual scans ignore this setting and run without any CPU limits.|
-|Specify the maximum size (in kilobytes) of archive files that should be scanned.<br/>**Scan** \> **Specify the maximum size of archive files to be scanned**|No limit|Not available <br/><br/>The default value of 0 applies no limit|
-|Configure low CPU priority for scheduled scans<br/>**Scan** \> **Configure low CPU priority for scheduled scans**|Disabled|Not available|
+|Email scanning <br/> **Scan** > **Turn on e-mail scanning**<br/>See [Email scanning limitations](#email-scanning-limitations) (in this article)|Disabled|`-DisableEmailScanning`|
+| Script scanning | Enabled  | This policy setting allows you to configure script scanning. If you enable or don't configure this setting, script scanning is enabled. <br/><br/>See [Defender/AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender)  |
+|Scan [reparse points](/windows/win32/fileio/reparse-points) <br/> **Scan** > **Turn on reparse point scanning**|Disabled|Not available <br/>See [Reparse points](/windows/win32/fileio/reparse-points)|
+|Scan mapped network drives<br/>**Scan** > **Run full scan on mapped network drives**|Disabled|`-DisableScanningMappedNetworkDrivesForFullScan`|
+|Scan archive files (such as .zip or .rar files). <br/>**Scan** > **Scan archive files**|Enabled|`-DisableArchiveScanning` <br/><br/>The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) takes precedence over this setting.|
+|Scan files on the network <br/>**Scan** > **Scan network files**|Disabled|`-DisableScanningNetworkFiles`|
+|Scan packed executables<br/>**Scan** > **Scan packed executables**|Enabled|Not available <br/><br/>Scan packed executables were removed from the following templates:<br/>- Administrative Templates (.admx) for Windows 11 2023 Update (23H2)<br/>- Administrative Templates (.admx) for Windows 11 2022 Update (22H2) - v3.0 <br/>- Administrative Templates (.admx) for Windows 11 2022 Update (22H2)<br/>- Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)|
+|Scan removable drives during full scans only<br/>**Scan** > **Scan removable drives**|Disabled|`-DisableRemovableDriveScanning`|
+|Specify the level of subfolders within an archive folder to scan <p>**Scan** > **Specify the maximum depth to scan archive files**|0|Not available|
+|Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** > **Specify the maximum percentage of CPU utilization during a scan**|50|`-ScanAvgCPULoadFactor`<br/><br/> The maximum CPU load isn't a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manual scans ignore this setting and run without any CPU limits.|
+|Specify the maximum size (in kilobytes) of archive files that should be scanned.<br/>**Scan** > **Specify the maximum size of archive files to be scanned**|No limit|Not available <br/><br/>The default value of 0 applies no limit|
+|Configure low CPU priority for scheduled scans<br/>**Scan** > **Configure low CPU priority for scheduled scans**|Disabled|Not available|
+|Configure scanning of network files <br/>**Scan** > **Configure scanning of network files**|Enabled|-DisableScanningNetworkFiles|
+|CPU throttling type <br/>**Scan** > **CPU throttling type**|Disabled|-ThrottleForScheduledScanOnly |
+|Scan excluded files and directories during quick scan <br/>**Scan** > **Scan excluded files and directories during quick scan**|Disabled|Not available|
 
 > [!NOTE]
-> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan also includes network shares.
+> If real-time protection is turned on, files are scanned before they're accessed and executed. The scanning scope includes all files, such as files on mounted removable media, like USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan also includes network shares.
 
 > [!TIP]
 > If you have a Network-Attached Storage (NAS) or Storage Area Network (SAN), you can use Internet Content Adaption Protocol (ICAP) scanning with the Microsoft Defender Antivirus engine. For more information, see **[Tech Community Blog: MetaDefender ICAP with Windows Defender Antivirus: World-class security for hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/metadefender-icap-with-windows-defender-antivirus-world-class/ba-p/800234)**.
@@ -97,7 +100,7 @@ Email scanning enables scanning of email files used by Outlook and other mail cl
 - `MBX`
 - `MIME`
 
-`PST` files used by Outlook 2003 or older (where the archive type is set to non-unicode) are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are detected inside `PST` files.
+`PST` files used by Outlook 2003 or older (where the archive type is set to nonunicode) are also scanned, but Microsoft Defender Antivirus can't remediate threats that are detected inside `PST` files.
 
 If Microsoft Defender Antivirus detects a threat inside an email message, the following information is displayed to assist you in identifying the compromised email so you can remediate the threat manually:
 

defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md

@@ -3,7 +3,7 @@ title: Configure custom exclusions for Microsoft Defender Antivirus
 description: You can exclude files (including files modified by specified processes) and folders from Microsoft Defender Antivirus scans.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 01/27/2025
+ms.date: 02/18/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
@@ -36,6 +36,13 @@ Custom exclusions apply to [scheduled scans](schedule-antivirus-scans.md), [on-d
 > [!TIP]
 > For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
 
+## Hide the antivirus exclusions from users and/or local administrators
+
+| Setting | Description | Default value |
+| -------- | -------- | -------- |
+|**Configure if exclusions are visible to Local Admins** | - **Disabled (Default)**:  If you disable or don't configure this setting, Local Admins are able to see exclusions in the Windows Security App or via PowerShell. <br> - **Enabled**: If this setting is enabled, Local Admins no longer see the exclusion list in Windows Security App or via PowerShell.  <br> - Please note that applying this setting won't remove exclusions, it prevents them from being visible to Local Admins. This is reflected in Get-MpPreference. <br>  | Disabled |
+|**Configure whether exclusions are visible to local users** | - Use this policy setting to configure whether or not exclusions are visible to Local Admins (HideExclusionsFromLocalAdmins).  | Disabled |
+
 ## Configure and validate exclusions
 
 > [!CAUTION]
@@ -45,11 +52,13 @@ Custom exclusions apply to [scheduled scans](schedule-antivirus-scans.md), [on-d
 If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft Defender for Endpoint, use the following procedures to define exclusions:
 
 - [Configure custom exclusions for Microsoft Defender Antivirus](#configure-custom-exclusions-for-microsoft-defender-antivirus)
+  - [Hide the antivirus exclusions from users and/or local administrators.](#hide-the-antivirus-exclusions-from-users-andor-local-administrators)
   - [Configure and validate exclusions](#configure-and-validate-exclusions)
       - [Manage antivirus exclusions in Intune (for existing policies)](#manage-antivirus-exclusions-in-intune-for-existing-policies)
       - [Create a new antivirus policy with exclusions in Intune](#create-a-new-antivirus-policy-with-exclusions-in-intune)
   - [Important points about exclusions](#important-points-about-exclusions)
   - [Audit antivirus exclusions on Exchange systems](#audit-antivirus-exclusions-on-exchange-systems)
+  - [See also](#see-also)
 
 If you're using another tool, such as Configuration Manager or Group Policy, or you want more detailed information about custom exclusions, see these articles:
 
@@ -114,7 +123,7 @@ Remember these important points:
 
 ## Audit antivirus exclusions on Exchange systems
 
-Microsoft Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange (see [Running Windows antivirus software on Exchange servers](/exchange/antispam-and-antimalware/windows-antivirus-software)). It's highly recommended to install these updates and make sure that AMSI is working properly. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).  
+Microsoft Exchange has supported integration with the anti-malware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange (see [Running Windows antivirus software on Exchange servers](/exchange/antispam-and-antimalware/windows-antivirus-software)). It's highly recommended to install these updates and make sure that AMSI is working properly. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).  
 
 Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange systems and assessing whether exclusions can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Intune.
 

defender-endpoint/defender-endpoint-plan-1.md

@@ -2,15 +2,15 @@
 title: Overview of Microsoft Defender for Endpoint Plan 1
 description: Get an overview of Defender for Endpoint Plan 1. Learn about the features and capabilities included in this endpoint protection subscription.
 search.appverid: MET150 
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 manager: deniseb 
 audience: ITPro
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: onboard
 ms.localizationpriority: medium
-ms.date: 02/04/2025
+ms.date: 02/13/2025
 ms.reviewer: shlomiakirav
 f1.keywords: NOCSH
 ms.collection: 
@@ -170,6 +170,10 @@ Using role-based access control (RBAC), your security administrator can create r
 
 To learn more, see [Manage portal access using role-based access control](rbac.md).
 
+> [!IMPORTANT]
+> Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC).
+> Existing customers keep their current roles and permissions. For more information, see URBAC [Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint](/defender-xdr/manage-rbac)
+
 ### Reporting
 
 The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) provides easy access to information about detected threats and actions to address those threats. 

defender-endpoint/defender-endpoint-trial-user-guide.md

@@ -73,6 +73,10 @@ To make sure your Defender for Endpoint subscription is properly provisioned, yo
 
 ## Step 2: Set up role-based access control and grant permissions to your security team
 
+> [!IMPORTANT]
+> Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC).
+> Existing customers keep their current roles and permissions. For more information, see URBAC [Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint](/defender-xdr/manage-rbac)
+
 Microsoft recommends using the concept of least privileges. Defender for Endpoint uses built-in roles within Microsoft Entra ID. [Review the different roles that are available](/azure/active-directory/roles/permissions-reference) and choose appropriate roles for your security team. Some roles might need to be applied temporarily and removed after the trial is finished.
 
 Use [Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure) to manage your roles to provide extra auditing, control, and access review for users with directory permissions.