Merge branch 'main' into WI410649-new-article-identity-security-iniatives

Author: padmagit77

defender-endpoint/behavior-monitor.md

@@ -10,7 +10,7 @@ ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 03/25/2025
+ms.date: 04/29/2025
 search.appverid: met150
 ---
 
@@ -69,7 +69,7 @@ The following table shows the different ways to configure behavior monitoring.
 | CSP | AllowBehaviorMonitoring | [Defender Policy CSP](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection)   |
 | Configuration Manager Tenant Attach | Turn on behavior monitoring | [Windows Antivirus policy settings from Microsoft Defender Antivirus for tenant attached devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows-tenant-attach#real-time-protection) |
 | Group Policy | Turn on behavior monitoring | [Download Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2)](https://www.microsoft.com/download/details.aspx?id=105668)   |
-| PowerShell | Set-Preference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
+| PowerShell | Set-MpPreference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
 | WMI | boolean  DisableBehaviorMonitoring;  | [MSFT\_MpPreference class](/previous-versions/windows/desktop/defender/msft-mppreference) |
 
 If you use Microsoft Defender for Business, see [Review or edit your next-generation protection policies in Microsoft Defender for Business](/defender-business/mdb-next-generation-protection).

defender-endpoint/ios-configure-features.md

@@ -318,10 +318,10 @@ Defender for Endpoint on iOS enables admins to configure custom indicators on iO
 
 > [!NOTE]
 > Defender for Endpoint on iOS supports creating custom indicators only for URLs and domains. IP based custom indicators aren't supported on iOS. 
+> > IP `245.245.0.1` is an internal Defender IP and shouldn't be included in custom indicators by customers to avoid any functionality issues.
+> > For iOS, no alerts are generated in the Microsoft Defender portal when the URL or domain set in the indicator is accessed.
 > 
-> IP `245.245.0.1` is an internal Defender IP and shouldn't be included in custom indicators by customers to avoid any functionality issues.
-> 
-> For iOS, no alerts are generated in the Microsoft Defender portal when the URL or domain set in the indicator is accessed.
+> MDE portal Timeline doesn't display the URL for Custom URL Indicator Blocks for unsupervised devices, instead it marks hidden for privacy.
 
 ## Configure vulnerability assessment of apps
 
@@ -374,7 +374,7 @@ Defender for Endpoint on iOS supports vulnerability assessments of OS and apps.
    - The privacy approval screen appears only for unsupervised devices.
    - Only if end-user approves the privacy, the app information is sent to the Defender for Endpoint console.
 
-   :::image type="content" source="media/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="media/tvm-user-privacy2.png":::
+      :::image type="content" source="media/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen.":::
 
 Once the client versions are deployed to target iOS devices, processing starts. Vulnerabilities found on those devices start showing up in the Defender Vulnerability Management dashboard. The processing might take few hours (max 24 hours) to complete. This time frame is especially true for the entire list of apps to show up in the software inventory.
 

defender-endpoint/mde-linux-prerequisites.md

@@ -68,10 +68,14 @@ For detailed licensing information, see [Product Terms: Microsoft Defender for E
 
 The following Linux server distributions and x64 (AMD64/EM64T) versions are supported:
 
-- Red Hat Enterprise Linux 7.2 or higher 
+- Red Hat Enterprise Linux 7.2 and higher 
+
 - Red Hat Enterprise Linux 8.x 
 - Red Hat Enterprise Linux 9.x 
-- CentOS 7.2 or higher, excluding CentOS Stream 
+- CentOS 7.2 and higher, excluding CentOS Stream 
+
+- CentOS 8.x
+
 - Ubuntu 16.04 LTS 
 - Ubuntu 18.04 LTS 
 - Ubuntu 20.04 LTS 
@@ -80,7 +84,8 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 - Debian 9 - 12 
 - SUSE Linux Enterprise Server 12.x 
 - SUSE Linux Enterprise Server 15.x 
-- Oracle Linux 7.2 or higher 
+- Oracle Linux 7.2 and higher 
+
 - Oracle Linux 8.x 
 - Oracle Linux 9.x 
 - Amazon Linux 2 
@@ -174,13 +179,6 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 - For RHEL6 the mdatp RPM package requires `policycoreutils`, `libselinux`, and `mde-netfilter`.
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, and `mde-netfilter`.
 
-> [!NOTE]
-> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or older, the following additional dependency on the auditd package exists for mdatp:
-> - The mdatp RPM package requires `audit`, `semanage`.
-> - For DEBIAN, the mdatp package requires `auditd`.
-> - For Mariner, the mdatp package requires `audit`.
-
 The `mde-netfilter` package also has the following package dependencies:
 
 - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`

defender-endpoint/mde-sdp-strategy.md

@@ -6,7 +6,7 @@ author: emmwalshh
 ms.author: ewalsh
 ms.reviewer: yongrhee
 manager: deniseb
-ms.date: 09/16/2024
+ms.date: 04/29/2025
 ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
@@ -19,28 +19,35 @@ ms.collection:
 
 # Use safe deployment practices to safeguard and manage your environment
 
-Microsoft follows safe deployment practices (SDP) to minimize the risk of security updates having an unexpected impact. This article describes Microsoft Defender for Endpoint's approach to SDP and what customers can do to manage their own roll-out processes to add an extra layer of control.
+<!-- Added introductory text to emphasize why updates are important. Mirrors language from https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint%e2%80%99s-safe-deployment-practices/4220342 -->
+
+Microsoft Defender for Endpoint helps protect organizations against sophisticated adversaries while optimizing for resiliency, performance, and compatibility, following [best practices for managing security tools in Windows](https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/). Keeping Microsoft Defender for Endpoint up to date is essential to ensure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+
+Microsoft follows safe deployment practices (SDP) to deliver critical new product capabilities while minimizing the risk of updates having unexpected impacts to endpoint performance and availability. This article describes Defender for Endpoint's approach to SDP and how customers can manage their own roll-out processes to add extra layers of control to meet their own business, technical, and security requirements.
+
+## Approach and update types
 
 Microsoft Defender for Endpoint ships updates externally only after all the certification and validation tests are completed across multiple iterations of internal devices.
 
 Defender for Endpoint applies SDP to two distinct update mechanisms:
 
-- Software and driver updates that are updated monthly (can potentially update kernel-mode components).
-- Security intelligence and detection logic updates that can be updated multiple times a day (updates only apply to user-mode components).
+- Software and driver updates that are updated monthly and can potentially update kernel-mode components.
+
+- Security intelligence and detection logic updates that can be updated multiple times a day and apply only to user-mode components.
 
 ## Monthly SDP software and driver updates
 
 Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs.
 
-Defender for Endpoint's kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
+Defender for Endpoint's kernel drivers captures system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
 
 The process for rolling out software and driver updates for Defender for Endpoint is shown in this image:
 
 :::image type="content" alt-text="Screenshot that shows the process for rolling out software and driver updates for Defender for Endpoint." source="/defender/media/defender-endpoint/mde-software-driver-updates.png" lightbox="/defender/media/defender-endpoint/mde-software-driver-updates.png":::
 
 ### Microsoft SDP for monthly updates
 
-All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft's hundreds of thousands of employees and millions of internal devices. This helps ensure Microsoft discovers and addresses issues first, before customers.
+All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft's hundreds of thousands of employees and millions of internal devices. This helps ensure your devices are equipped with the latest technology and features necessary to defend against emerging malware and attack techniques.
 
 Within each ring, Microsoft closely monitors quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices.