Merge pull request #2407 from MicrosoftDocs/main

Published main to live, Friday 10:30 AM PST, 01/10

Author: padmagit77

defender-endpoint/TOC.yml

@@ -511,8 +511,8 @@
           href: troubleshoot-collect-support-log.md
         - name: Troubleshoot Microsoft Defender Antivirus settings
           href: troubleshoot-settings.md
-        - name: Troubleshoot Microsoft Defender Antivirus service startup problems
-          href: troubleshoot-service-startup-problems.md
+        - name: Troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated
+          href: troubleshoot-security-intelligence-not-updated.md 
         - name: Troubleshooting Security Intelligence Updates from Microsoft Update source
           href: security-intelligence-update-tshoot.md
           displayName: Troubleshooting Security Intelligence Updates from Microsoft Update source

defender-endpoint/live-response.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 04/03/2024
+ms.date: 01/10/2025
 ---
 
 # Investigate entities on devices using live response
@@ -229,9 +229,9 @@ Here are some examples:
 
 Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
 
-Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
+Live response allows PowerShell and Bash scripts to run; however, you must first put the files into the library before you can run them.
 
-You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
+You can have a collection of PowerShell and Bash scripts that can run on devices that you initiate live response sessions with.
 
 #### To upload a file in the library
 
@@ -311,7 +311,7 @@ Live response supports table and JSON format output types. For each command, the
 
 ## Supported output pipes
 
-Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
+Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: `[command] > [filename].txt`.
 
 Example:
 

defender-endpoint/media/protection-definition-update-failed.png

@@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 10/17/2024
+ms.date: 01/10/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh
@@ -132,6 +132,12 @@ In order for Microsoft Defender Antivirus to run in passive mode, endpoints must
 
 - Endpoints must be onboarded to Defender for Endpoint. 
 
+- Windows Security Center Service must be enabled.
+
+> [!WARNING]
+> If the **Windows Security Center Service** is *disabled* on Windows Clients then Microsoft Defender Antivirus can't detect third-party antivirus installations and will stay **Active**.
+> This could lead to conflicts between the Microsoft Defender Antivirus and the third-party Antivirus, as both will attempt to provide active protection. This will impact performance and is not supported.
+
 > [!IMPORTANT]
 > - Microsoft Defender Antivirus is only available on devices running Windows 10 and 11, Windows Server 2022, Windows Server 2016, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, and Windows Server 2012 R2.
 > - Passive mode is only supported on Windows Server 2012 R2 & 2016 when the device is onboarded using the [modern, unified solution](configure-server-endpoints.md). 

defender-endpoint/media/signature-update-failed.png

@@ -7,7 +7,7 @@ ms.reviewer: yonghree
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: troubleshooting-general
-ms.date: 01/06/2025
+ms.date: 01/10/2025
 ms.subservice: ngp
 ms.localizationpriority: medium 
 ms.collection: 
@@ -21,6 +21,12 @@ ai-usage: human-only
 
 # Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor
 
+> [!TIP]
+> First, review common reasons for performance issues, such as high CPU usage. See **[Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)**.
+> Then, run the **[Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus)**This tool will help identify the cause of high CPU usage in Microsoft Defender Antivirus, whether it's the Antimalware Service Executable, the Microsoft Defender Antivirus service, or MsMpEng.exe.
+>If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of the high CPU utilization, proceed with running **[Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)**.
+>The final tool in your toolkit to run is [Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line)](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui).
+
 ## Capture process logs using Process Monitor
 
 Process Monitor (ProcMon) is an advanced monitoring tool that provides real-time data on processes. It can be used to capture performance issues, such as high CPU usage, and to monitor application compatibility scenarios as they occur.
@@ -33,9 +39,9 @@ There are two ways to capture a Process Monitor (ProcMon) trace:
 
 ### Using the MDE Client Analyzer
 
-1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
+1. Download the [MDE Client Analyzer](/defender-endpoint/download-client-analyzer).
 
-1. Run the MDE Client Analyzer using [Live Response or locally ](/defender-endpoint/run-analyzer-windows).
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
 
    > [!TIP]
    > Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
@@ -50,84 +56,70 @@ There are two ways to capture a Process Monitor (ProcMon) trace:
 
 1. Download [Process Monitor v3.89](/sysinternals/downloads/procmon) to a folder like `C:\temp`.
 
-1. To remove the file's mark of the web:
+2. To remove the file's mark of the web:
 
    1. Right-click **ProcessMonitor.zip** and select **Properties**.
-      
+
    1. Under the *General* tab, look for *Security*.
-      
+
    1. Check the box beside **Unblock**.
-      
+
    1. Select **Apply**.
-      
+
       ![Screenshot showing the Remove MOTW page.](media/procmon-motw.png)
 
-1. Unzip the file in `C:\temp` so that the folder path is `C:\temp\ProcessMonitor`.
+3. Unzip the file in `C:\temp` so that the folder path is `C:\temp\ProcessMonitor`.
 
-1. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
+4. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
 
-   > [!TIP] 
+   > [!TIP]
    > Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Taking this step helps to minimize the number of processes to check.
 
-1. You can launch ProcMon in two ways.
+5. You can launch ProcMon in two ways.
 
    1. Right-click **ProcMon.exe** and select **Run as administrator**.
-      
-      Since logging starts automatically, stop the capture by selecting the magnifying glass icon or pressing  **Ctrl+E**.
-      
+
+    - Since logging starts automatically, stop the capture by selecting the magnifying glass icon or pressing  **Ctrl+E**.
+
       ![Screenshot showing the magnifying glass icon.](media/procmon-magglass.png)
-      
-      To confirm the capture has stopped, look for a red X on the magnifying glass icon.
-      
+
+   2. To confirm the capture has stopped, look for a red X on the magnifying glass icon.
+
       ![Screenshot showing a red slash.](media/procmon-magglass-stop.png)
-      
-      Next, to clear the earlier capture, select the eraser icon.
-      
-      ![Screenshot showing the clear icon](media/procmon-eraser-clear.png)
-      
-      Or use the keyboard shortcut **Ctrl+X**.
-      
-   1. Run the **command line** as admin, then from the Process Monitor path, run:
-      
+      ![Screenshot showing the clear icon.](media/procmon-eraser-clear.png)
+
+   3. Run the **command line** as admin, then from the Process Monitor path, run:
+
       ![Screenshot showing the cmd procmon.](media/cmd-procmon.png)
-      
-      ConsoleEdit development language
-      
-      
-      ```
-       Procmon.exe /AcceptEula /Noconnect /Profiling
-      ```
-      
+
      > [!TIP]
      > Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace.
-      
-      ![Screenshot showing the page with Procmon minimized.](media/procmon-minimize.png)
-      
-1. After completing step 6, set filters by selecting **OK**. You can filter the results after the capture is complete.
+     > ![Screenshot showing the page with Procmon minimized.](media/procmon-minimize.png)
+
+6. After completing step 6, set filters by selecting **OK**. You can filter the results after the capture is complete.
 
    ![Screenshot showing the page where System Exclude is chosen as the Filter out Process Name.](media/procmon-filter-options.png)
 
-1. To start the capture, select the magnifying glass icon again.
+7. To start the capture, select the magnifying glass icon again.
 
-1. Reproduce the problem.
+8. Reproduce the problem.
 
-   > [!TIP] 
+   > [!TIP]
    > Wait for the problem to be reproduced, then note the timestamp when the trace begins.
 
-1. After capturing two to four minutes of process activity during high CPU usage, stop the capture by clicking the magnifying glass icon.
+9. After capturing two to four minutes of process activity during high CPU usage, stop the capture by clicking the magnifying glass icon.
 
-1. To save the capture with a unique name in the `.pml` format, go to **File** then click **Save...**. Ensure you select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
+10. To save the capture with a unique name in the `.pml` format, go to **File** then click **Save...**. Ensure you select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
 
-   ![Screenshot showing the save settings page](media/procmon-savesettings1.png)
+    ![Screenshot showing the save settings page.](media/procmon-savesettings1.png)
 
-1. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where:
+11. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where:
 
    - `%ComputerName%` is the device name
    - `MMDDYEAR` is the month, day, and year
    - `Repro_of_issue` is the name of the issue you're trying to reproduce
-    
-   > [!TIP] 
-   > If you have a working system, you might want to get a sample log to compare.
 
-1. Zip the `.pml` file and submit it to Microsoft Support.
+> [!TIP]
+> If you have a working system, you might want to get a sample log to compare.
 
+12. Zip the `.pml` file and submit it to Microsoft Support.

defender-endpoint/microsoft-defender-antivirus-compatibility.md

@@ -0,0 +1,75 @@
+---
+title: Troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated
+description: Learn how to troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated.
+author: emmwalshh
+ms.author: ewalsh
+manager: ewalsh 
+ms.date: 01/10/2025
+ms.topic: troubleshooting
+ms.service: defender-endpoint
+ms.subservice: ngp
+ms.localizationpriority: medium 
+ms.collection: # Useful for querying on a set of strategic or high-priority content.
+ms.custom: 
+- partner-contribution
+ms.reviewer: ewalsh
+search.appverid: MET150
+f1.keywords: NOCSH
+audience: ITPro
+---
+
+# Troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated
+
+**Applies to:**
+
+- [Microsoft Defender XDR](/defender-xdr)
+- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+- Microsoft Defender Antivirus
+
+## Symptom
+
+When you update Microsoft Defender Antivirus security intelligence, you might see the error **Protection definition update failed**.
+
+:::image type="content" source="media/protection-definition-update-failed.png" alt-text="Screenshot of Protection definition update failed.":::
+
+These error codes might also appear:
+
+- 0x8024402c 
+- 0x80240022 
+- 0X80004002 
+- 0x80070422 
+- 0x80072efd 
+- 0x80070005 
+- 0x80072f78 
+- 0x80072ee2 
+- 0x8007001B 
+
+The following screenshot shows the error **Signature Update failed**.
+
+:::image type="content" source="media/signature-update-failed.png" alt-text="Screenshot showing signature update failed." lightbox="media/signature-update-failed.png":::
+
+## Solution
+
+1. Check the URLs required for the Security intelligence updates. You can get them via the firewall and/or proxy. See [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
+
+1. Ensure that Microsoft Defender Antivirus (MDAV) is your primary antivirus. If you have a third-party antivirus that uses the Windows Security Center (WSC) API, it will disable MDAV. When MDAV is disabled, updates can't occur.
+
+1. Given that MDAV is the primary antivirus and the services are running:
+
+    1. Check if updating Security Intelligence works when you manually download from [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware?](https://www.microsoft.com/wdsi/defenderupdates)
+
+    1. If so, try updating through the Microsoft Malware Protection Center (MMPC).
+
+       Run the following PowerShell command as an administrator.
+
+       ```powershell
+          & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC
+       ```
+
+    1. If this command works, the issue might be that the Security intelligence  [Fallback order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order) is set to a WSUS server without **Security intelligence** approved updates. Alternatively, the UNC share might be stale, or the Windows Update service might have issues.
+
+        1. To check the WSUS server that the machine goes to, review `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer (REG_SZ)`. Once you find the WUServer, check if that WSUS server has the MDAV security intelligence [(KB2267602 for MDAV and KB2461484 for SCEP)](microsoft-defender-antivirus-updates.md#security-intelligence-updates) approved.
+        1. To check the UNC share, review [Manage how and where Microsoft Defender Antivirus receives updates](manage-protection-updates-microsoft-defender-antivirus.md#create-a-unc-share-for-security-intelligence-and-platform-updates).
+        1. To check the status of the Windows Update service, review [Guidance for troubleshooting Windows Update issues](/troubleshoot/windows-client/installing-updates-features-roles/troubleshoot-windows-update-issues) and [Troubleshoot problems updating Windows](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c).

defender-endpoint/run-analyzer-macos-linux.md

@@ -8,7 +8,7 @@ ms.author: chrisda
 author: chrisda
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 12/17/2024
+ms.date: 01/10/2025
 audience: ITPro
 ms.collection:
   - m365-security
@@ -39,6 +39,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 
+## January 2025
+
+- [Use the built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook): The built-in **Report** button in Outlook for iOS and Android version 4.2446 or later now supports the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) experience to report messages as Phishing, Junk, and Not Junk.
+
 ## December 2024
 
  - [Considerations for integrating non-Microsoft security services with Microsoft 365](mdo-integrate-security-service.md): Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services.

defender-endpoint/troubleshoot-av-performance-issues-with-procmon.md

@@ -17,7 +17,7 @@ ms.custom:
 description: Admins can learn how the order of protection settings and the priority order of security policies affect the application of security policies in Microsoft 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 09/16/2024
+ms.date: 01/10/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -186,8 +186,8 @@ Tenant allows and blocks are able to override some filtering stack verdicts as d
   |Not spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
 
 - [Allow entries in the Tenant Allow/Block List](tenant-allow-block-list-about.md#allow-entries-in-the-tenant-allowblock-list): There are two types of allow entries:
-  - Message level allow entries act on the entire message, regardless of the entities in the message. Allow entries for email address and domains are message level allow entries. 
-  - Entity level allow entries act on the filtering verdict of entities. Allow entries for URLs, spoofed senders, and files are entity level allow entries. To override malware and high confidence phishing verdicts, you need to use entity level allow entries, which you can create by submission only due to [Secure by default in Microsoft 365](secure-by-default.md).
+  - **Message level** allow entries act on the entire message, regardless of the entities in the message. Allow entries for email address and domains are message level allow entries. These allow entries override bulk and spam verdicts, and high confidence phishing verdicts from machine learning models.
+  - **Entity level** allow entries act on the filtering verdict of entities. Allow entries for URLs, spoofed senders, and files are entity level allow entries. To override malware and high confidence phishing verdicts, you need to use entity level allow entries, which you can create by submission only due to [Secure by default in Microsoft 365](secure-by-default.md).
 
   |Filtering stack verdict|Email address/domain|
   |---|---|