Merge branch 'main' into US317434_CAPs

Author: DebLanger

defender-endpoint/TOC.yml

@@ -896,7 +896,7 @@
         - name: Troubleshooting mode scenarios
           href: troubleshooting-mode-scenarios.md
 
-      - name: Diagnostics and performance for Microsoft Defender Antivirus
+      - name: Diagnostics for Microsoft Defender Antivirus
         items:
         - name: Device health reports
           href: device-health-reports.md
@@ -907,18 +907,23 @@
             href: device-health-sensor-health-os.md
         - name: Microsoft Defender Core service overview
           href: microsoft-defender-core-service-overview.md
-          displayName: Microsoft Defender Core service overview
         - name: Microsoft Defender Core service configurations and experimentation 
           href: microsoft-defender-core-service-configurations-and-experimentation.md
-        - name: Troubleshoot performance issues related to real-time protection
-          href: troubleshoot-performance-issues.md
         - name: Collect diagnostic data of Microsoft Defender Antivirus
           href: collect-diagnostic-data.md
-        - name: Improve performance of Microsoft Defender Antivirus
-          href: tune-performance-defender-antivirus.md
 
       - name: Troubleshooting Microsoft Defender Antivirus
         items:
+        - name: Troubleshoot Microsoft Defender Antivirus performance issues
+          items:
+          - name: Performance analyzer for Microsoft Defender Antivirus
+            href: tune-performance-defender-antivirus.md
+          - name: Performance analyzer reference
+            href: performance-analyzer-reference.md
+            displayName: high cpu msmpeng.exe antimalware engine microsoft defender
+              antivirus windows defender antivirus
+          - name: Troubleshoot performance issues related to real-time protection
+            href: troubleshoot-performance-issues.md
         - name: Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
           href: troubleshoot-microsoft-defender-antivirus.yml
         - name: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution

defender-endpoint/android-configure.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: android
 search.appverid: met150
-ms.date: 10/18/2024
+ms.date: 11/22/2024
 ---
 
 # Configure Defender for Endpoint on Android features
@@ -57,7 +57,7 @@ This feature provides protection against rogue Wi-Fi related threats and rogue c
 
 It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center and add trusted certificates. Admins can enable [privacy controls](android-configure.md#privacy-controls) to configure the data sent to Defender for Endpoint from Android devices.
 
-Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to **configure Network protection in Android devices.**
+Network protection in Microsoft Defender for endpoint is enabled by default. Admins can use the following steps to **configure Network protection in Android devices.**
 
 In the Microsoft Intune admin center, navigate to Apps > App configuration policies. Create a new App configuration policy.
 

defender-endpoint/android-intune.md

@@ -27,18 +27,19 @@ ms.date: 11/15/2024
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
-**Ending support for Device Administrator enrolled devices**
-
-Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024.
-
-**For devices with access to GMS**
-
-After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: 
-
-- Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
-- Intune and Defender for Endpoint technical support will no longer support these devices.
+> [!IMPORTANT]
+> **Ending support for Device Administrator enrolled devices**
+> Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024.
+> 
+> **For devices with access to GMS**
+> 
+> After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: 
+> 
+> - Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
+> - Intune and Defender for Endpoint technical support will no longer support these devices.
+> 
+> For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
 
-For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
 
 **Aug-2024 (version: 1.0.6812.0101)**
 

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 11/10/2024
+ms.date: 11/18/2024
 search.appverid: met150
 ---
 
@@ -330,6 +330,11 @@ By default the state of this rule is set to block. In most cases, many processes
 
 Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.
 
+> [!TIP]
+> 1. ASR audit events don't generate toast notifications. However, since the LSASS ASR rule produces large volume of audit events, almost all of which are safe to ignore when the rule is enabled in block mode, you can choose to skip the audit mode evaluation and proceed to block mode deployment, beginning with a small set of devices and gradually expanding to cover the rest.
+> 2. The rule is designed to suppress block reports/toasts for friendly processes. It is also designed to drop reports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of whether toast notifications are enabled or disabled. 
+> 3. ASR in warn mode is designed to present users with a block toast notification that includes an "Unblock" button. Due to the "safe to ignore" nature of LSASS ASR blocks and their large volume, WARN mode is not advisable for this rule (irrespective of whether toast notifications are enabled or disabled).
+
 > [!NOTE]
 > In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
 > The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode.

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -173,7 +173,7 @@ To test streamlined connectivity for devices not yet onboarded to Defender for E
 
 - Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` , where parameter is of GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable tenant geo.
 
-As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/BetaMDEAnalyzer
+As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/MDEClientAnalyzerPreview
 
 
 > [!NOTE]

defender-endpoint/configure-device-connectivity.md

@@ -4,7 +4,7 @@ description: Exclude files from Microsoft Defender Antivirus scans based on thei
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 09/10/2024
+ms.date: 11/21/2024
 author: denisebmsft
 ms.author: deniseb
 ms.topic: conceptual
@@ -57,7 +57,7 @@ The following table lists some examples of exclusions based on file extension an
 |Exclusion|Examples|Exclusion list|
 |---|---|---|
 |Any file with a specific extension|All files with the specified extension, anywhere on the machine. <br/><br/> Valid syntax: `.test` and `test`|Extension exclusions|
-|Any file under a specific folder|All files under the `c:\test\sample` folder|File and folder exclusions|
+|Any file or folder under a specific folder|All files and folders under the `c:\test\sample` folder|File and folder exclusions|
 |A specific file in a specific folder|The file `c:\sample\sample.test` only|File and folder exclusions|
 |A specific process|The executable file `c:\test\process.exe`|File and folder exclusions|
 

defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md

@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 11/06/2024
+ms.date: 11/19/2024
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -40,7 +40,7 @@ search.appverid: met150
 Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, 
 
 > [!NOTE]
-> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](indicator-certificates.md).
+> Scripting engines like PowerShell are not trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
 
 Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
 

defender-endpoint/controlled-folders.md

@@ -14,17 +14,15 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: ngp
-ms.date: 10/21/2022
+ms.date: 11/22/2024
 ---
 
 # Cloud-delivered protection demonstration
 
 **Applies to:**
 
-- 
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 
@@ -39,7 +37,10 @@ Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as
 
 ### Scenario
 
-1. Download the [test file](https://aka.ms/ioavtest). Important: The test file isn't malicious, it's just a harmless file simulating a virus.
+1. Download and extract the [zipped folder that contains the test file](https://go.microsoft.com/fwlink/?linkid=2298135). The password is *infected*.
+
+   > [!IMPORTANT]
+   > The test file isn't malicious, it's just a harmless file simulating a virus.
 
 2. If you see file blocked by Microsoft Defender SmartScreen, select on "View downloads" button.
 

defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md

@@ -29,7 +29,7 @@ Learn how to download the Microsoft Defender for Endpoint client analyzer on sup
 ## Download client analyzer for Windows OS
 
 1. The latest stable edition is available for download from following URL: <https://aka.ms/MDEAnalyzer>
-2. The latest preview edition is available for download from following URL: <https://aka.ms/BetaMDEAnalyzer>
+2. The latest preview edition is available for download from following URL: <https://aka.ms/MDEClientAnalyzerPreview>
 
 ## Download client analyzer for macOS or Linux