Merge pull request #3623 from MicrosoftDocs/main

[AutoPublish] main to live - 04/30 04:28 PDT | 04/30 16:58 IST

Author: padmagit77

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 04/04/2025
+ms.date: 04/30/2025
 search.appverid: met150
 ---
 
@@ -253,8 +253,8 @@ For rules with the "Rule State" specified:
 
 > [!NOTE]
 > To protect your environment from vulnerable drivers, you should first implement these:
-> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
-> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
+> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
+> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
 > For Windows 11 or later, and Windows Server core 1809 or later, or Windows Server 2019 or later, you should also enable [Microsoft Windows vulnerable driver blocklist](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), 
 > Then as another layer of defense, you should enable this attack surface reduction rule.
 
@@ -544,7 +544,9 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 > [!NOTE]
-> If `CcmExec.exe` (SCCM Agent) is detected on the device, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
+> If you're utilizing Configuration Manager (CM, previously known as MEMCM or SCCM) with CcmExec.exe` (SCCM Agent), we recommend running it in audit mode for at least 60 days. 
+> Once you're prepared to switch to block mode, ensure you deploy the appropriate ASR rules, considering any necessary rule exclusions.
+
 
 Intune name: `Persistence through WMI event subscription`
 

defender-endpoint/linux-install-manually.md

@@ -205,13 +205,13 @@ In order to preview new features and provide early feedback, it's recommended th
 
 6. Install the Microsoft GPG public key:
 
-   - For Debian 11 and earlier, run the following command.
+   - For Debian 11/Ubuntu 22.04 and earlier, run the following command.
 
       ```bash
       curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
       ```
 
-   - For Debian 12 and later, run the following command.
+   - For Debian 12/Ubuntu 24.04 and later, run the following command.
 
       ```bash
       curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null

defender-endpoint/schedule-antivirus-scans-powershell.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
-ms.date: 04/29/2025
+ms.date: 04/30/2025
 ms.reviewer: pauhijbr, ksarens
 manager: deniseb
 ms.subservice: ngp
@@ -44,11 +44,15 @@ Set-MpPreference -ScanScheduleQuickScanTime
 > [!NOTE]
 > The time value is represented as the number of minutes past midnights (00:00 or 12:00 a.m.), For example, 120 is equivalent to 2:00 AM.  The schedule is based on local time on the device where the scan is executing. 
 
-For example, to set a daily quick scan run on the Windows clients at 12:00 PM. (720). In this example, we use lunch time, since many devices nowadays are turned off after-hours (For example, laptops and/or tablets).
+To set a daily quick scan run on the Windows clients at 12:00 PM. (720). In this example, we use lunch time, since many devices nowadays are turned off after-hours (For example, laptops and/or tablets).
 
 ```powershell
 Set-MpPreference -ScanScheduleQuickScanTime 720
 ```
+To disable the daily quick scan, set this value to 0
+```powershell
+Set-MpPreference -ScanScheduleQuickScanTime 0
+```
 
 ## Use PowerShell cmdlets to scheduling weekly quick or full scans
 
@@ -121,6 +125,7 @@ Set-MpPreference -ScanScheduleOffset 720
 |Disable CPU throttle on idle scans|Enabled/Not Configured (Default)|Set-MpPreference -DisableCpuThrottleOnIdleScans `Boolean` <br>For example: Set-MpPreference -DisableCpuThrottleOnIdleScans $True Idle here means 90% of CPU utilization or below|
 |Enable Low CPU Priority|Disabled/Not Configured (Default)|Set-MpPreference -EnableLowCpuPriority `Boolean` <br>For example: Set-MpPreference -EnableLowCpuPriority $False|
 |Disable Catchup Full Scan|Disabled/Not Configured (Default)|Set-MpPreference -DisableCatchupFullScan `Boolean` <br>For example: Set-MpPreference -DisableCatchupFullScan $True|
+|Disable Catchup Quick Scan|Disabled/Not Configured (Default)|Set-MpPreference -DisableCatchupQuickScan `Boolean` <br>For example: Set-MpPreference -DisableCatchupQuickScan $True|
 |Enable full scan on battery power|Disabled/Not Configured (Default)|Set-MpPreference -EnableFullScanOnBatteryPower `Boolean` <br>For example: Set-MpPreference -EnableFullScanOnBatteryPower $False|
 
 For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Fschedule-antivirus-scans-powershell.md/main/bcb7536e-34b9-8af7-5381-96c46d108a91/use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/).

defender-endpoint/schedule-antivirus-scans.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
-ms.date: 02/05/2025
+ms.date: 04/30/2025
 ms.reviewer: pauhijbr, ksarens, yongrhee, bsabetghadam
 manager: deniseb
 ms.subservice: ngp
@@ -57,6 +57,12 @@ Use the following table to choose a scan type. Also see [Microsoft Defender Anti
 
 ## Important points to keep in mind
 
+- You can configure two types of scheduled scans:
+
+    1. **Daily Scan**: Runs once per day and can only be a **quick scan**.
+
+    2. **Weekly Scan**: Runs once per week and can be either a **quick scan** or a **full scan**.
+
 - By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
 
 - If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time.