Merge pull request #2388 from MicrosoftDocs/main

1/9/2025 AM Publish

Author: Taojunshen

.openpublishing.redirection.defender-xdr.json

@@ -1,5 +1,16 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud-apps.md",
+      "redirect_url": "/defender-cloud-apps/microsoft-365-security-center-defender-cloud-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-mdi.md",
+      "redirect_url": "/defender-for-identity/microsoft-365-security-center-mdi",
+      "redirect_document_id": false
+    },
+
     {
       "source_path": "defender-xdr/eval-create-eval-environment.md",
       "redirect_url": "/defender-xdr/pilot-deploy-overview",

defender-xdr/microsoft-365-security-center-mdi.md renamed to ATPDocs/microsoft-365-security-center-mdi.md

@@ -11,16 +11,18 @@ items:
     href: zero-trust.md
   - name: System architecture
     href: architecture.md
-  - name: Defender for Identity in Microsoft Defender XDR
-    href: /microsoft-365/security/defender/microsoft-365-security-center-mdi?bc=/defender-for-identity/bread/toc.json&toc=/defender-for-identity/TOC.json
+  - name: Defender for Identity in the Microsoft Defender portal
+    href: microsoft-365-security-center-mdi.md
   - name: Defender for Identity for US Government
     href: us-govt-gcc-high.md
 - name: Deploy
   expanded: true
   items:
   - name: Quick installation guide
     href: deploy/quick-installation-guide.md
-  - name: Deployment overview
+  - name: Pilot and deploy Microsoft Defender XDR
+    href: /defender-xdr/pilot-deploy-overview?toc=/defender-for-identity/toc.json&bc=/defender-for-identity/breadcrumb/toc.json
+  - name: Defender for Identity deployment overview
     href: deploy/deploy-defender-identity.md
   - name: Plan and prepare
     items:

ATPDocs/toc.yml

@@ -26,26 +26,26 @@ ms.custom: admindeeplinkDEFENDER
 
 **Applies to:**
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
+- [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender)
 - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
 
 Microsoft Defender for Cloud Apps is available inside the Microsoft Defender portal. The Defender portal is the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure, allowing security admins to perform their security tasks in one location, across multiple Microsoft Defender services.
 
 SOC analysts can triage, investigate, and hunt across all Microsoft Defender XDR workloads, including cloud apps.
 
-Take a look in Microsoft Defender XDR at <https://security.microsoft.com>.
+Take a look in the Microsoft Defender portal at <https://security.microsoft.com>.
 
-Learn more about the benefits: [Overview of Microsoft Defender XDR](microsoft-365-defender.md).
+Learn more about the benefits: [Overview of Microsoft Defender XDR](/defender-xdr/microsoft-365-defender).
 
 ## Perform cloud app security tasks
 
 Find Defender for Cloud Apps functionality in the Microsoft Defender portal under **Cloud Apps**. For example:
 
-:::image type="content" source="media/defender-for-cloud-apps/cloud-apps.png" alt-text="Screenshot that shows the Defender for Cloud Apps Cloud discovery page." lightbox="media/defender-for-cloud-apps/cloud-apps.png":::
+:::image type="content" source="media/microsoft-365-security-center-defender-cloud-apps/cloud-apps.png" alt-text="Screenshot that shows the Defender for Cloud Apps Cloud discovery page." lightbox="media/microsoft-365-security-center-defender-cloud-apps/cloud-apps.png":::
 
 ## Investigate cloud app alerts
 
-Defender for Cloud Apps alerts show in the Defender portal's incident and alerts queues, with relevant content inside alert pages for each type of an alert. For more information, see [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md).
+Defender for Cloud Apps alerts show in the Defender portal's incident and alerts queues, with relevant content inside alert pages for each type of an alert. For more information, see [Investigate incidents in Microsoft Defender XDR](/defender-xdr/investigate-incidents).
 
 ## Global search for your connected cloud apps
 
@@ -57,7 +57,7 @@ Use the Microsoft Defender portal's global search bar at the top of the page to
 
 Use the **Assets > Identities** page to find comprehensive details about entities pulled from connected cloud applications, including a users's activity history and security alerts related to the user. For example:
 
-:::image type="content" source="media/defender-for-cloud-apps/dashboard-top-users.png" alt-text="Screenshot that shows cloud app entities in the Identities page." lightbox="media/defender-for-cloud-apps/dashboard-top-users.png":::
+:::image type="content" source="media/microsoft-365-security-center-defender-cloud-apps/dashboard-top-users.png" alt-text="Screenshot that shows cloud app entities in the Identities page." lightbox="media/microsoft-365-security-center-defender-cloud-apps/dashboard-top-users.png":::
 
 <a name='redirection-from-the-classic-microsoft-defender-for-cloud-apps-portal-to-microsoft-365-defender'></a>
 
@@ -76,9 +76,9 @@ Learn how to protect your cloud apps in Microsoft Defender XDR:
 > [!VIDEO https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/video-embed.html?id=2105e5c9-23bf-41fb-a61d-0f0fae8ef05f title="Defender for Cloud Apps in Microsoft Defender XDR for customers migrating from the classic portal"]
 
 
-## Related information
+## Related content
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-- [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md)
+- [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender)
+- [Investigate incidents in Microsoft Defender XDR](/defender-xdr/investigate-incidents)
 - [Contact support](/defender-cloud-apps/support-and-ts)
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/media/defender-for-cloud-apps/cloud-apps.png renamed to CloudAppSecurityDocs/media/microsoft-365-security-center-defender-cloud-apps/cloud-apps.png

@@ -7,6 +7,8 @@ items:
     href: what-is-defender-for-cloud-apps.md
   - name: What's new in Defender for Cloud Apps
     href: release-notes.md
+  - name: Defender for Cloud Apps in the Microsoft Defender portal
+    href: microsoft-365-security-center-defender-cloud-apps.md
   - name: Privacy with Defender for Cloud Apps
     href: cas-compliance-trust.md
   - name: Preview features
@@ -31,6 +33,8 @@ items:
     href: best-practices.md
 - name: Deploy Defender for Cloud Apps
   items:
+  - name: Pilot and deploy Microsoft Defender XDR
+    href: /defender-xdr/pilot-deploy-overview?toc=/cloud-app-security/toc.json&bc=/cloud-app-security/breadcrumb/toc.json
   - name: Network requirements
     href: network-requirements.md
   - name: Getting started

defender-xdr/media/defender-for-cloud-apps/dashboard-top-users.png renamed to CloudAppSecurityDocs/media/microsoft-365-security-center-defender-cloud-apps/dashboard-top-users.png

@@ -511,6 +511,8 @@
           href: troubleshoot-collect-support-log.md
         - name: Troubleshoot Microsoft Defender Antivirus settings
           href: troubleshoot-settings.md
+        - name: Troubleshoot Microsoft Defender Antivirus service startup problems
+          href: troubleshoot-service-startup-problems.md
         - name: Troubleshooting Security Intelligence Updates from Microsoft Update source
           href: security-intelligence-update-tshoot.md
           displayName: Troubleshooting Security Intelligence Updates from Microsoft Update source

defender-xdr/microsoft-365-security-center-defender-cloud-apps.md renamed to CloudAppSecurityDocs/microsoft-365-security-center-defender-cloud-apps.md

@@ -39,15 +39,17 @@ In this section of the attack surface reduction rules deployment guide, you'll l
 - use Event Viewer for attack surface reduction rules events
 
 > [!NOTE]
-> Before you begin testing attack surface reduction rules, it is recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the attack surface reduction rules report to disable attack surface reduction rules.
+> Before you begin testing attack surface reduction rules, it's recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the attack surface reduction rules report disabling attack surface reduction rules.
 
 Begin your attack surface reduction rules deployment with ring 1.
 
 > :::image type="content" source="media/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit attack surface reduction rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="media/asr-rules-testing-steps.png":::
 
 ## Step 1: Test attack surface reduction rules using Audit
 
-Begin the testing phase by turning on the attack surface reduction rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase. Rules that are set to Audit don't generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there is no effect on end users.
+Begin the testing phase by turning on the attack surface reduction rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase.
+
+ Rules that are set to Audit don't generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there's no effect on end users.
 
 ### Configure attack surface reduction rules using Intune
 
@@ -77,14 +79,14 @@ You can use Microsoft Intune Endpoint Security to configure custom attack surfac
     > [!NOTE]
     > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
-10. Review your settings in the **Review + create** pane. Click **Create** to apply the rules.
+10. Review your settings in the **Review + create** pane. Select **Create** to apply the rules.
 
     > [!div class="mx-imgBorder"]
     > :::image type="content" source="media/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="media/asr-mem-review-create.png":::
 
 Your new attack surface reduction policy for attack surface reduction rules is listed in **Endpoint security | Attack surface reduction**.
 
-   > [!div class="mx-imgBorder"]
+> [!div class="mx-imgBorder"]
    > :::image type="content" source="media/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="media/asr-mem-my-asr-rules.png":::
 
 <a name='step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal'></a>
@@ -131,23 +133,23 @@ The **GroupBy** returns results set to the following groups:
 > [!NOTE]
 > When filtering by rule, the number of individual _detected_ items listed in the lower half of the report is currently limited to 200 rules. You can use **Export** to save the full list of detections to Excel.
 
-:::image type="content" source="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report search feature on the configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png":::
+:::image type="content" source="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the Azure Site Recovery rules report search feature on the configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png":::
 
 **Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected attack surface reduction rules:
 
 > [!div class="mx-imgBorder"]
 > :::image type="content" source="media/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="media/asr-defender365-filter.png":::
 
 > [!NOTE]
-> If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365  Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.
+> If you have a Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365  Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.
 
 ### Configuration tab
 
 Lists—on a per-computer basis—the aggregate state of attack surface reduction rules: Off, Audit, Block.
 
 >:::image type="content" source="media/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the attack surface reduction rules report main configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-configuration-tab.png":::
 
-On the Configurations tab, you can check, on a per-device basis, which attack surface reduction rules are enabled, and in which mode, by selecting the device for which you want to review attack surface reduction rules.
+On the Configurations tab, you can see which attack surface reduction rules are enabled and their mode for each device by selecting the device you want to review.
 
 >:::image type="content" source="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Screenshot that shows the ASR rules fly-out to add ASR rules to devices." lightbox="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png":::
 
@@ -167,31 +169,30 @@ The Endpoint Security | Attack surface reduction pane opens:
 > :::image type="content" source="media/asr-defender365-05b-mem3.png" alt-text="The Endpoint security Attack surface reduction pane" lightbox="media/asr-defender365-05b-mem3.png":::
 
 > [!NOTE]
-> If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365  Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.
+> If you have a Microsoft Defender 365 E5 (or Windows E5?) License, this link opens the Microsoft Defender 365  Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.
 
 ### Add exclusions
 
 This tab provides a method to select detected entities (for example, false positives) for exclusion. When exclusions are added, the report provides a summary of the expected impact.
 
 > [!NOTE]
-> Microsoft Defender Antivirus AV exclusions are honored by attack surface reduction rules.  See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
+> Attack surface reduction rules honor Microsoft Defender Antivirus (AV) exclusion. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
 
 > [!div class="mx-imgBorder"]
 > :::image type="content" source="media/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="media/asr-defender365-06d.png":::
 
 > [!NOTE]
-> If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365  Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
+> If you have a Microsoft Defender 365 E5 (or Windows E5?) License, this link will open the Microsoft Defender 365  Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
 
 For more information about using the attack surface reduction rules report, see [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md).
 
 ## Configure attack surface reduction per-rule exclusions
 
 Attack surface reduction rules now provide the capability to configure rule-specific exclusions, known as "Per Rule Exclusions."
 
-> [!NOTE]
-> Per-rule exclusions cannot currently be configured by using PowerShell or Group Policy.
+To configure specific rule exclusions, you have the choices of using the MDE Security Settings Management, Intune, and Group Policy.
 
-To configure specific rule exclusions:
+#### Via Intune:
 
 1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to **Home** > **Endpoint security** > **Attack surface reduction**.
 
@@ -208,9 +209,40 @@ To configure specific rule exclusions:
 > [!TIP]
 > Use the checkboxes next to your list of exclusion entries to select items to **Delete**, **Sort**, **Import**, or **Export**.
 
+### Via Group Policy
+
+
+
+Use Group Policy to set the per-user ASR rule exclusions
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+1. Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+1. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+1. Select **Administrative templates**.
+
+1. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Microsoft Defender Exploit Guard > Attack Surface Reduction**.
+
+1. Double-click **Apply a list of exclusions to specific attack surface reduction (ASR) rules**, and set the option to **Enabled**. 
+
+1. Then click on **Show...**
+
+1. Under "**Value Name**", enter "GUID for the ASR Rule" without the double quotes
+
+1. Under "**Value**", enter the <drive_letter:\Path\ProcessName>.  In order to add multiple processes, it's separated by a greater than sign (>)
+
+   e.g.,  "C:\Notepad.exe>c:\regedit.exe>C:\SomeFolder\test.exe" without the double quotes
+   
+1. select **OK**. This setting allows the processes that are being blocked by the particular ASR Rule to continue running.
+
+> [!NOTE]
+> "If policies aren't applying, review [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+
 ### Use PowerShell as an alternative method to enable attack surface reduction rules
 
-You can use PowerShell - as an alternative to Intune - to enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. You can also get an idea of how often the rules fire during normal use.
+Use PowerShell, as an alternative to Intune, to enable attack surface reduction rules in audit mode. This allows you to view a record of apps that would have been blocked if the feature was fully enabled. You can also see how often the rules fire during normal use.
 
 To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:
 
@@ -227,7 +259,7 @@ To enable all the added attack surface reduction rules in audit mode, use the fo
 ```
 
 > [!TIP]
-> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
+> If you want to fully audit how attack surface reduction rules work in your organization, you'll need to use a management tool to deploy this setting to devices in your network.
 
 You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
 
@@ -255,4 +287,6 @@ Event ID | Description
 
 [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)
 
+[Troubleshoot attack surface reduction rules](/defender-endpoint/troubleshoot-asr)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]