Merge branch 'main' into WI431514-app-inventory-ga-ready

Author: DeCohen

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -56,4 +56,6 @@ For more information, see:
 
 [How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
 
-[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+
+[How to integrate Defender for Identity with BeyondTrust](https://docs.beyondtrust.com/insights/docs/microsoft-defender)

defender-business/mdb-faq.yml

@@ -10,7 +10,7 @@ metadata:
   ms.topic: faq
   ms.service: defender-business
   ms.localizationpriority: medium
-  ms.date: 03/19/2024
+  ms.date: 05/20/2025
   ms.reviewer: efratka, nehabha
   f1.keywords: NOCSH
   ms.collection:
@@ -61,10 +61,10 @@ sections:
         answer: |
           The following table compares server options for Defender for Business customers:
 
-          | Server license | Description |
-          |--|--|
-          | Microsoft Defender for Business servers | [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com). |
-          | Microsoft Defender for Servers Plan 1 / Plan 2| [Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
+          |Server license|Description|
+          |---|---|
+          |Microsoft Defender for Business servers|[Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com).|
+          |Microsoft Defender for Servers Plan 1 / Plan 2|[Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
 
           Adding Defender for Cloud to a tenant that has Defender for Business doesn't change the simplified configuration experience that Defender for Business offers. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 work with Defender for Business. 
 
@@ -90,7 +90,7 @@ sections:
 
           |OS|Method|Notes|
           |---|---|---|
-          |Windows |[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
+          |Windows|[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
           |Mac|Jamf or Intune|You can use Jamf or Intune to set up device control on Mac. See [Device Control for macOS](/defender-endpoint/mac-device-control-overview).|
 
       - question: How do I run custom reports with Defender for Business?
@@ -141,25 +141,25 @@ sections:
           
           The following table summarizes some differences between Defender for Business and Defender for Endpoint:
 
-          | Capabilities | Defender for Business | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 |
-          |---|---|---|---|
-          | Centralized management | ✔ | ✔ | ✔ |
-          | Simplified firewall and antivirus configuration for Windows | ✔ | | |
-          | Vulnerability management (core capabilities) | ✔ | | ✔ |
-          | Attack surface reduction | ✔ | ✔ | ✔ |
-          | Next-generation protection | ✔ | ✔ | ✔ |
-          | Endpoint detection & response (EDR) | ✔ <br/>(optimized) | | ✔ |
-          | Automatic attack disruption | ✔ | | ✔ |
-          | Automated investigation & remediation | ✔ | | ✔ |
-          | Monthly security summary reporting | ✔ | | ✔ |
-          | 30 days advanced hunting and six months of data retention in the device timeline | | | ✔ |
-          | Threat analytics | ✔<br/>(optimized) | | ✔ |
-          | Cross-platform support <br/>(Mac, iOS, Android)| ✔ | ✔ | ✔ |
-          | Windows Server and Linux Server <br/>(requires server licenses) | ✔  | ✔ | ✔ |
-          | Microsoft Threat Experts | | | ✔ |
-          | Microsoft 365 Lighthouse <br/>(optimized; for CSPs only) | ✔ | ✔ | ✔ |
-          | Microsoft Defender multi-tenant management | ✔ | ✔ | ✔ |
-          | APIs | ✔  | ✔ | ✔ |
+          |Capabilities|Defender for</br>Business|Defender for</br>Endpoint Plan 1|Defender for</br>Endpoint Plan 2|
+          |---|:---:|:---:|:---:|
+          |Centralized management|✔|✔|✔|
+          |Simplified firewall and antivirus configuration for Windows|✔|||
+          |Vulnerability management (core capabilities)|✔||✔|
+          |Attack surface reduction|✔|✔|✔|
+          |Next-generation protection|✔|✔|✔|
+          |Endpoint detection & response (EDR)|✔ <br/> (optimized)||✔|
+          |Automatic attack disruption|✔||✔|
+          |Automated investigation & remediation|✔||✔|
+          |Monthly security summary reporting|✔||✔|
+          |30 days advanced hunting <br/> and six months of data retention <br/> in the device timeline|||✔|
+          |Threat analytics|✔ <br/> (optimized)||✔|
+          |Cross-platform support <br/> (Mac, iOS/iPadOS, Android)|✔|✔|✔|
+          |Windows Server and Linux Server <br/> (requires server licenses)|✔|✔|✔|
+          |Microsoft Threat Experts|||✔|
+          |Microsoft 365 Lighthouse <br/> (optimized; for CSPs only)|✔|✔|✔|
+          |Microsoft Defender multi-tenant management|✔|✔|✔|
+          |APIs|✔|✔|✔|
 
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |

defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md

@@ -4,7 +4,7 @@ description: Exclude files from Microsoft Defender Antivirus scans based on thei
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 01/27/2025
+ms.date: 05/19/2025
 author: emmwalshh
 ms.author: ewalsh
 ms.topic: conceptual
@@ -38,10 +38,9 @@ You can define exclusions for Microsoft Defender Antivirus that apply to [schedu
 - [Exclusions for files that are opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
 
 > [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions do apply to some Microsoft Defender for Endpoint capabilities, such as [attack surface reduction rules](attack-surface-reduction.md). Some Microsoft Defender Antivirus exclusions are applicable to some ASR rule exclusions. See [Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules](attack-surface-reduction-rules-reference.md#microsoft-defender-antivirus-exclusions-and-asr-rules).
-> Files that you exclude using the methods described in this article can still trigger Endpoint Detection and Response (EDR) alerts and other detections.
-> To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](indicators-overview.md).
-> Variables, such as `%USERPROFILE%` aren't interpreted in exclusion settings. We recommend using an explicit path format.
+> - Microsoft Defender Antivirus exclusions do apply to some Microsoft Defender for Endpoint capabilities, such as [attack surface reduction rules](attack-surface-reduction.md). Some Microsoft Defender Antivirus exclusions are applicable to some ASR rule exclusions. See [Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules](attack-surface-reduction-rules-reference.md#microsoft-defender-antivirus-exclusions-and-asr-rules).
+> - Files that you exclude using the methods described in this article can still trigger Endpoint Detection and Response (EDR) alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](indicators-overview.md).
+> - Variables, such as `%USERPROFILE%` aren't interpreted in exclusion settings. We recommend using an explicit path format.
 
 ## Before you begin
 

defender-endpoint/enable-network-protection.md

@@ -3,7 +3,7 @@ title: Turn on network protection
 description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 05/15/2025
+ms.date: 05/19/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh
@@ -40,35 +40,59 @@ search.appverid: met150
 
 [Learn more about network filtering configuration options.](/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
 
-## Check if network protection is enabled
+## Enable network protection
 
-You can use Registry Editor to check the status of network protection.
+To enable network protection, you can use any of the methods described in this article.
 
-1. Select the **Start** button in the task bar and type `regedit`. In the list of results, select Registry editor to open it.
+### Microsoft Defender for Endpoint Security Settings Management
 
-2. Choose **HKEY_LOCAL_MACHINE** from the side menu.
+#### Create an endpoint security policy
 
-3. Navigate through the nested menus to **SOFTWARE** \> **Policies** \> **Microsoft** \> **Windows Defender** \> **Policy Manager**.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) using at least a Security Administrator role assigned.
 
-   If the key is missing, navigate to **SOFTWARE** \> **Microsoft** \> **Windows Defender** \> **Windows Defender Exploit Guard** \> **Network Protection**.
+2. Go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new policy**.
 
-4. Select **EnableNetworkProtection** to see the current state of network protection on the device:
+3. Under **Select Platform**, select **Windows 10, Windows 11, and Windows Server**.
 
-   - **0**, or **Off**
-   - **1**, or **On**
-   - **2**, or **Audit** mode
+4. Under **Select Template**, select **Microsoft Defender Antivirus**, then select **Create policy**.
 
-   :::image type="content" source="/defender/media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" alt-text="Network Protection registry key" lightbox="/defender/media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png":::
+5. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
 
-## Enable network protection
+6. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.
+
+   - Network Protection on Windows clients:
+
+      | Description| Setting|
+      | -------- | -------- |
+      | Enable Network Protection|Options:<br>- Enabled (block mode) Block mode is needed to block IP address/URL indicators and Web Content Filtering.<br>- Enabled (audit mode) <br>- Disabled (Default) <br>- Not Configured|
+
+   - Network Protection on Windows Server 2012 R2 and Windows Server 2016
+
+      | Description|Setting|
+      | -------- | -------- |
+      |Allow Network Protection Down Level|Options:<br>- Network protection will be enabled downlevel. <br>- Network Protection will be disabled downlevel. (Default) <br>- Not Configured|
+
+   - Optional Network Protection settings for Windows and Windows Server:
+
+      > [!WARNING]
+      > For Domain Controllers, Windows DNS servers and Microsoft Exchange servers, set the **Allow Datagram Processing On WinServer** to **Datagram processing on Windows Server is disabled**. These roles often generate high volumes of UDP traffic, which can affect network performance and reliability when datagram processing is enabled. Disabling this setting helps maintain network stability and optimize resource usage in demanding environments.
+
+      |Description| Setting|
+      | -------- | -------- |
+      |Allow Datagram Processing On Win Server|- Datagram processing on Windows Server is enabled. <br>- Datagram processing on Windows Server is disabled (Default). <br>- Not configured|
+      |Disable DNS over TCP parsing|- DNS over TCP parsing is disabled. <br>- DNS over TCP parsing is enabled (Default). <br>- Not configured|
+      |Disable HTTP parsing|- HTTP parsing is disabled. <br>- HTTP parsing is enabled (Default). <br>- Not configured|
+      |Disable SSH parsing|- SSH parsing is disabled. <br>- SSH parsing is enabled (Default). <br>- Not configured|
+      |Disable TLS parsing |- TLS parsing is disabled. <br>- TLS parsing is enabled (Default). <br>- Not configured|
+      |[Deprecated]Enable DNS Sinkhole|- DNS Sinkhole is disabled. <br>- DNS Sinkhole is enabled. (Default) <br>- Not configured|
+
+7. When you're done configuring settings, select **Next**.
+
+8. On the **Assignments** page, select the groups that will receive this profile. Then select **Next**.
 
-To enable network protection, you can use one of the following methods:
+9. On the **Review + create** page, review the information, and then select **Save**. 
 
-- [Microsoft Intune](#microsoft-intune)
-- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-- [Group Policy](#group-policy)
-- [Microsoft Configuration Manager](#microsoft-configuration-manager)
-- [PowerShell](#powershell)
+   The new profile is displayed in the list when you select the policy type for the profile you created.
 
 ### Microsoft Intune
 
@@ -188,15 +212,16 @@ Use the following procedure to enable network protection on domain-joined comput
    Set-MpPreference -EnableNetworkProtection Enabled
    ```
 
-3. For Windows Server, use the additional commands listed in the following table:
+1. For Windows Server, use the additional commands listed in the following table:
 
-   | Windows Server version | Commands |
-   |---|---|
-   |Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
-   |Windows Server 2016 <br/>Windows Server 2012 R2 with the [unified agent for Microsoft Defender for Endpoint](/defender-endpoint/enable-network-protection) | `set-MpPreference -AllowNetworkProtectionDownLevel $true` <br/> `set-MpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
+| Windows Server version | Commands |
+|---|---|
+|Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
+|Windows Server 2016 <br/>Windows Server 2012 R2 with the [unified agent for Microsoft Defender for Endpoint](/defender-endpoint/enable-network-protection) | `set-MpPreference -AllowNetworkProtectionDownLevel $true` <br/> `set-MpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
 
    > [!IMPORTANT]
-   > For Domain Controllers and Microsoft Exchange servers, set the `AllowDatagramProcessingOnWinServer` parameter to `$false`. These roles often generate high volumes of UDP traffic, which can affect network performance and reliability when datagram processing is enabled. Disabling this setting helps maintain network stability and optimize resource usage in demanding environments.
+   > For Domain Controllers, Windows DNS servers and Microsoft Exchange servers, set the `AllowDatagramProcessingOnWinServer` parameter to `$false`. These roles often generate high volumes of UDP traffic, which can affect network performance and reliability when datagram processing is enabled. Disabling this setting helps maintain network stability and optimize resource usage in demanding environments.
+   
 
 4. (This step is optional.) To set network protection to audit mode, use the following cmdlet:
 
@@ -206,6 +231,27 @@ Use the following procedure to enable network protection on domain-joined comput
 
    To turn off network protection, use the `Disabled` parameter instead of `AuditMode` or `Enabled`.
 
+
+## Check if network protection is enabled
+
+You can use Registry Editor to check the status of network protection.
+
+1. Select the **Start** button in the task bar and type `regedit`. In the list of results, select Registry editor to open it.
+
+2. Choose **HKEY_LOCAL_MACHINE** from the side menu.
+
+3. Navigate through the nested menus to **SOFTWARE** \> **Policies** \> **Microsoft** \> **Windows Defender** \> **Policy Manager**.
+
+   If the key is missing, navigate to **SOFTWARE** \> **Microsoft** \> **Windows Defender** \> **Windows Defender Exploit Guard** \> **Network Protection**.
+
+4. Select **EnableNetworkProtection** to see the current state of network protection on the device:
+
+   - **0**, or **Off**
+   - **1**, or **On**
+   - **2**, or **Audit** mode
+
+   :::image type="content" source="/defender/media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" alt-text="Network Protection registry key" lightbox="/defender/media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png":::
+
 #### Important information about removing Exploit Guard settings from a device
 
 When you deploy an Exploit Guard policy using Configuration Manager, the settings remain on the client even if you later remove the deployment. If the deployment is removed, the client logs `Delete` not supported in the `ExploitGuardHandler.log` file.