Merge branch 'main' into patch-2

Author: EdgarPMIA

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -212,9 +212,11 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi
 
 - [Create "allow" indicators for Microsoft Defender for Endpoint](#indicators-for-defender-for-endpoint)
 - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
+- For Attack Surface Reduction Rule exclusions [Configure attack surface reduction per-rule exclusions](/defender-endpoint/attack-surface-reduction-rules-deployment-test#configure-attack-surface-reduction-per-rule-exclusions) or you can leverage [ASR rule only exclusions](/defender-endpoint/enable-attack-surface-reduction#exclude-files-and-folders-from-attack-surface-reduction-rules)
 
 > [!NOTE]
 > Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use [custom indicators](indicators-overview.md) for Microsoft Defender for Endpoint and exclusions for Microsoft Defender Antivirus.
+> ASR Rules can leverage ASR Rule Exclusions - where the exclusions apply to all ASR Rules; ASR per Rule Exclusions; Defender AV exclusions; as well as allow indicators defined in Custom Indicators.
 
 The procedures in this section describe how to define indicators and exclusions.
 

defender-endpoint/evaluate-mdav-using-gp.md

@@ -180,13 +180,13 @@ Disable local administrator AV settings such as exclusions, and enforce the poli
 | --- | --- |
 | Prevent users and apps from accessing dangerous websites | Enabled, Block |
 | This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server | Enabled |
-| Allow Network Protection Down Level | Network protection is enabled downlevel |
-| Allow Datagram Processing On Win Server | Datagram processing on Windows Server is enabled |
-| Disable DNS over TCP parsing | DNS over TCP parsing is enabled |
-| Disable HTTP parsing | HTTP parsing is enabled |
-| Disable SSH parsing | SSH parsing is enabled |
-| Disable TLS parsing | TLS parsing is enabled |
-| Enable DNS Sinkhole | DNS Sinkhole is enabled |
+
+To enable Network Protection for Windows Servers, for now, please use Powershell:
+
+| OS | Powershell cmdlet |
+| --- | --- |
+| Windows Server 2012 R2Windows Server 2022 and later	| set-MpPreference -AllowNetworkProtectionOnWinServer $true |
+| Windows Server 2016 and Windows Server 2012 R2 [unified MDE client](/defender-endpoint/update-agent-mma-windows#upgrade-to-the-new-unified-agent-for-defender-for-endpoint) | set-MpPreference -AllowNetworkProtectionOnWinServer $true and set-MpPreference -AllowNetworkProtectionDownLevel $true
 
 ## Attack Surface Reduction Rules
 
@@ -207,7 +207,7 @@ Disable local administrator AV settings such as exclusions, and enforce the poli
 | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb<br><br>**Note:** ( \[PREVIEW\] Block use of copied or impersonated system tools) | 1 (Block) |
 | d3e037e1-3eb8-44c8-a917-57927947596d<br><br>**Note:** (Block JavaScript or VBScript from launching downloaded executable content) | 1 (Block) |
 | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2<br><br>**Note:** (Block credential stealing from the Windows local security authority subsystem) | 1 (Block) |
-| a8f5898e-1dc8-49a9-9878-85004b8a61e6<br><br>**Note:** (Block Webshell creation for Servers) | 1 (Block) |
+| a8f5898e-1dc8-49a9-9878-85004b8a61e6<br><br>**Note:** (Block Web shell creation for Servers) | 1 (Block) |
 | 3b576869-a4ec-4529-8536-b80a7769e899<br><br>**Note:** (Block Office applications from creating executable content) | 1 (Block) |
 | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4<br><br>**Note:** (Block untrusted and unsigned processes that run from USB) | 1 (Block) |
 | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84<br><br>**Note:** (Block Office applications from injecting code into other processes) | 1 (Block) |

defender-endpoint/microsoft-defender-antivirus-compatibility.md

@@ -207,12 +207,13 @@ You can use one of several methods to confirm the state of Microsoft Defender An
 - [Use Windows PowerShell to confirm that antivirus protection is running](#use-windows-powershell-to-confirm-that-antivirus-protection-is-running).
 
 > [!IMPORTANT]
-> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it place Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
+> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
 > 
 > - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled.
 > - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
 > 
 > Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`.
+>Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is in block mode.
 
 ### Use the Windows Security app to identify your antivirus app
 

exposure-management/configure-data-connectors.md

@@ -11,6 +11,29 @@ ms.date: 11/06/2024
 
 # Configure your data connectors
 
+[Microsoft Security Exposure Management](microsoft-security-exposure-management.md) consolidates security posture data from all your digital assets, enabling you to map your attack surface and focus your security efforts on areas at greatest risk. Data from Microsoft Security products like Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud, Microsoft Entra ID, and others are automatically ingested and consolidated within Exposure Management. You can further enrich and extend this data by connecting to a range of external data sources.
+
+## Prerequisites
+
+The following prerequisites are required to integrate external data connecters to Microsoft Security Exposure Management.
+
+### Roles & permissions
+
+For full access to connect and disconnect the data connectors you need one of the following Microsoft Entra ID roles:
+
+- Global Admin (read and write permissions)
+- Security Admin (read and write permissions)
+- Security Operator (read and limited write permissions)
+
+To view the status of the connectors, you can use one of the following roles:
+
+- Global Reader (read permissions)
+- Security Reader (read permissions)
+
+You can find more details about the permission levels here, [Prerequisites, and support](prerequisites.md).
+
+## Establish a connection
+
 To establish a connection with any of the supported external products, follow these steps:
 
 1. Complete the applicable prerequisite steps for your external data connectors.

exposure-management/overview-data-connectors.md

@@ -38,25 +38,6 @@ Data Connectors in Microsoft Security Exposure Management is currently in public
 > [!NOTE]
 > During the preview phase, use of the data connectors feature is free. Once data connectors become generally available, there will be a consumption-based cost for each non-Microsoft data connector based on number of assets retrieved from the connected security tool. The charge will be according to volume of ingested billable assets, where a billable asset is any asset (device, container, identity, application) on which data is reported from that connector. Each connector will have clearly defined applicable assets and guidance on how to determine the numbers. Pricing will be announced before billing of external connectors starts at GA.  
 
-## Prerequisites
-
-The following prerequisites are required to integrate external data connecters to Microsoft Security Exposure Management.
-
-### Roles & permissions
-
-For full access to connect and disconnect the data connectors you need one of the following Microsoft Entra ID roles:
-
-- Global Admin (read and write permissions)
-- Security Admin (read and write permissions)
-- Security Operator (read and limited write permissions)
-
-To view the status of the connectors, you can use one of the following roles:
-
-- Global Reader (read permissions)
-- Security Reader (read permissions)
-
-You can find more details about the permission levels here, [Prerequisites, and support](prerequisites.md).
-
 ## Next steps
 
 [Configure your data connectors](configure-data-connectors.md).