Merge branch 'main' into mde-mac-overview

Author: denisebmsft

.github/workflows/StaleBranch.yml

@@ -2,6 +2,7 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
+  pull-requests: read
 
 # This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
 # On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.

.openpublishing.redirection.defender-cloud-apps.json

@@ -1009,6 +1009,11 @@
       "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
       "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
       "redirect_document_id": true
-    }
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/connector-platform.md",
+      "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
+      "redirect_document_id": true
+    },
   ]
 }

CloudAppSecurityDocs/connector-platform.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 04/28/2025
+ms.date: 05/05/2025
 ms.topic: how-to
 ---
 
@@ -97,6 +97,7 @@ Defender for Cloud Apps supports the following ServiceNow versions:
         - Kingston
         - London  
         - Utah
+        - Yokohama
     :::column-end:::
     :::column:::
         - Madrid

CloudAppSecurityDocs/protect-servicenow.md

@@ -62,8 +62,6 @@ items:
       - name: Overview
         displayName: connect apps
         href: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
-      - name: Custom connectors with the open app connector platform
-        href: ./connector-platform.md
       - name: Asana
         href: protect-asana.md
       - name: Atlassian

CloudAppSecurityDocs/toc.yml

@@ -254,14 +254,14 @@
                 href: manage-sys-extensions-using-jamf.md
               - name: Manual deployment
                 href: manage-sys-extensions-manual-deployment.md
-            
+           
         - name: Defender for Endpoint on Linux
           items:
           - name: Deploy Defender for Endpoint on Linux
             items:
-            - name: 1 - Prerequisites
+            - name: Prerequisites
               href: mde-linux-prerequisites.md
-            - name: 2 - Choose a deployment method
+            - name: Choose a deployment method
               items:
               - name: Installer script based deployment
                 href: linux-installer-script.md
@@ -279,28 +279,28 @@
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
               - name: Deployment guidance for Defender for Endpoint on Linux for SAP
                 href: mde-linux-deployment-on-sap.md
-            - name: 3 - Configuration
+          - name: Configure Defender for Endpoint on Linux
+            items:
+            - name: Configure security policies and settings
+              href: linux-preferences.md
+            - name: Static proxy configuration
+              href: linux-static-proxy-configuration.md
+            - name: Configure antivirus scans
               items:
-              - name: Configure security policies and settings
-                href: linux-preferences.md
-              - name: Static proxy configuration
-                href: linux-static-proxy-configuration.md
-              - name: Configure antivirus scans
-                items:
-                - name: Schedule antivirus scans using Anacron
-                  href: schedule-antivirus-scan-anacron.md
-                - name: Schedule antivirus scans using Crontab
-                  href: schedule-antivirus-scan-crontab.md
-              - name: Network protection for Linux
-                href: network-protection-linux.md
-              - name: Configure and validate exclusions on Linux
-                href: linux-exclusions.md
-              - name: Configure eBPF-based sensor
-                href: linux-support-ebpf.md 
-              - name: Detect and block Potentially Unwanted Applications
-                href: linux-pua.md
-              - name: Configure Offline Security Intelligence Update
-                href: linux-support-offline-security-intelligence-update.md
+              - name: Schedule antivirus scans using Anacron
+                href: schedule-antivirus-scan-anacron.md
+              - name: Schedule antivirus scans using Crontab
+                href: schedule-antivirus-scan-crontab.md
+            - name: Network protection for Linux
+              href: network-protection-linux.md
+            - name: Configure and validate exclusions on Linux
+              href: linux-exclusions.md
+            - name: Configure eBPF-based sensor
+              href: linux-support-ebpf.md 
+            - name: Detect and block Potentially Unwanted Applications
+              href: linux-pua.md
+            - name: Configure Offline Security Intelligence Update
+              href: linux-support-offline-security-intelligence-update.md
           - name: Update Defender for Endpoint on Linux
             items: 
             - name: Update Defender for Endpoint on Linux
@@ -309,7 +309,7 @@
               href: linux-update-mde-linux.md
           - name: Privacy for Defender for Endpoint on Linux
             href: linux-privacy.md
-          - name: Resources for Microsoft Defender for Endpoint on Linux
+          - name: Additional resources for Defender for Endpoint on Linux
             href: linux-resources.md
         - name: Mobile Threat Defense
           items:
@@ -783,6 +783,8 @@
       - name: Configure Microsoft Defender Antivirus scans
         href: schedule-antivirus-scans.md
         items:
+        - name: Schedule scans using Intune
+          href: schedule-antivirus-scans-intune.md
         - name: Schedule scans using Group Policy
           href: schedule-antivirus-scans-group-policy.md
         - name: Schedule scans using PowerShell

defender-endpoint/TOC.yml

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 04/04/2025
+ms.date: 04/30/2025
 search.appverid: met150
 ---
 
@@ -253,8 +253,8 @@ For rules with the "Rule State" specified:
 
 > [!NOTE]
 > To protect your environment from vulnerable drivers, you should first implement these:
-> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
-> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
+> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
+> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and aren't known to be vulnerable.
 > For Windows 11 or later, and Windows Server core 1809 or later, or Windows Server 2019 or later, you should also enable [Microsoft Windows vulnerable driver blocklist](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), 
 > Then as another layer of defense, you should enable this attack surface reduction rule.
 
@@ -544,7 +544,9 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 > [!NOTE]
-> If `CcmExec.exe` (SCCM Agent) is detected on the device, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
+> If you're utilizing Configuration Manager (CM, previously known as MEMCM or SCCM) with CcmExec.exe` (SCCM Agent), we recommend running it in audit mode for at least 60 days. 
+> Once you're prepared to switch to block mode, ensure you deploy the appropriate ASR rules, considering any necessary rule exclusions.
+
 
 Intune name: `Persistence through WMI event subscription`