MicrosoftDocs
diff --git a/‎defender-endpoint/linux-exclusions.md‎
Lines changed: 48 additions & 9 deletions b/‎defender-endpoint/linux-exclusions.md‎
Lines changed: 48 additions & 9 deletions
diff --git a/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 13 additions & 0 deletions b/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎defender-endpoint/web-content-filtering.md‎
Lines changed: 8 additions & 7 deletions b/‎defender-endpoint/web-content-filtering.md‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 3 additions & 2 deletions b/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎defender-xdr/automatic-attack-disruption.md‎
Lines changed: 5 additions & 5 deletions b/‎defender-xdr/automatic-attack-disruption.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎defender-xdr/data-privacy.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/data-privacy.md‎
Lines changed: 1 addition & 1 deletion
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/31/2025
+ms.date: 02/18/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -52,7 +52,7 @@ Antivirus exclusions can be used to exclude trusted files and processes from rea
 
 | Exclusion Category | Exclusion Scope | Description |
 | --- | --- | --- |
-| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus (AV) scans and on-demand scans.| 
+| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus scans and on-demand scans.| 
 | Global Exclusion  | Antivirus and endpoint detections and response engine <br/>*(scope: global)*  | Excludes events from real time protection and EDR visibility. Doesn't apply to on-demand scans by default. |
 
 > [!IMPORTANT]
@@ -63,12 +63,12 @@ Antivirus exclusions can be used to exclude trusted files and processes from rea
 
 The following table shows the exclusion types supported by Defender for Endpoint on Linux.
 
-Exclusion|Definition|Examples
----|---|---
-File extension|All files with the extension, anywhere on the device (not available for global exclusions) |`.test`
-File|A specific file identified by the full path|`/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
-Folder|All files under the specified folder (recursively)|`/var/log/`<br/>`/var/*/`
-Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat`<br/>`cat`<br/>`c?t`
+|Exclusion|Definition|Examples|
+|---|---|---|
+|File extension|All files with the extension, anywhere on the device (not available for global exclusions) |`.test` |
+|File|A specific file identified by the full path|`/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log` |
+| Folder|All files under the specified folder (recursively)|`/var/log/`<br/>`/var/*/` |
+| Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat`<br/>`cat`<br/>`c?t` |
 
 > [!IMPORTANT]
 > The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`.
@@ -89,6 +89,8 @@ Wildcard|Description|Examples|
 
 ## How to configure the list of exclusions
 
+You can configure exclusions using a management console, Defender for Endpoint security settings management, or the command line.
+
 ### Using the management console
 
 To configure exclusions from Puppet, Ansible, or another management console, please refer to the following sample `mdatp_managed.json`.
@@ -140,6 +142,43 @@ To configure exclusions from Puppet, Ansible, or another management console, ple
 
 For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
 
+### Using Defender for Endpoint security settings management
+
+As a security administrator, you can configure Defender for Endpoint exclusions using the Microsoft Defender portal. This method is referred to as Defender for Endpoint security settings management. If you're using this method for the first time, make sure to complete the following procedures:
+
+#### 1. Configure your tenant to support security settings management
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), navigate to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope**, and then select the Linux platform. 
+
+2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that are not enrolled with Intune](/mem/intune/protect/mde-security-integration).
+
+#### 2. Create a Microsoft Entra group
+
+Create a dynamic Microsoft Entra group that uses the operating system type to ensure that all devices onboarded to Defender for Endpoint receive policies. Using a dynamic group allows devices managed by Defender for Endpoint to be automatically added to the group, eliminating the need for admins to create new policies manually. For more information, see the following articles:
+
+- [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
+- [Microsoft Entra groups overview](/entra/fundamentals/concept-learn-about-groups)
+
+#### 3. Create an endpoint security policy 
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new Policy**. 
+
+2. For Platform, select **Linux**.
+
+3. Select the required exclusion template (**Microsoft defender global exclusion (AV+EDR) for global exclusions and Microsoft defender antivirus exclusions for antivirus exclusions**), and then select **Create policy**.
+
+4. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
+
+5. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.
+
+6. When you're done configuring settings, select **Next**.
+
+7. On the **Assignments** page, select the groups that will receive this profile. Then select **Next**.
+
+8. On the **Review + create** page, when you're done, select **Save**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
+For more information refer: [Manage endpoint security policies in Microsoft Defender for Endpoint](/defender-endpoint/manage-security-policies#create-an-endpoint-security-policy).
+
 ### Using the command line
 
 Run the following command to see the available switches for managing exclusions:
@@ -157,7 +196,7 @@ mdatp exclusion
 
 Examples:
 
-- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)* :
+- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)*:
 
     ```bash
     mdatp exclusion extension add --name .txt
 
@@ -64,6 +64,19 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Feb-2025 (Build: 101.24122.0011  | Release version: 20.124122.11.0)
+
+| Build:             | **101.24122.0011**    |
+|--------------------|-----------------------|
+| Release version:   | **20.124122.11.0**    |
+| Engine version:    | **1.1.24080.11**      |
+| Signature version: | **1.419.351.0**       |
+
+##### What's new
+
+- Fixed an issue with the auth prompt during new installation on macOS with multiple active users
+- Improved stability when using the antivirus engine in passive mode
+
 ### Jan-2025 (Build: 101.24122.0005  | Release version: 20.124122.5.0)
 
 | Build:             | **101.24122.0005**    |
 
@@ -4,9 +4,9 @@ description: Use web content filtering in Microsoft Defender for Endpoint to tra
 ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
-ms.reviewer: tdoucett
+ms.reviewer: ericlaw
 ms.localizationpriority: medium
-ms.date: 02/10/2025
+ms.date: 02/18/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -59,7 +59,7 @@ Before trying out this feature, make sure you meet the requirements described in
 | Requirement | Description |
 |:---|:---|
 | Subscription | Your subscription must include one of the following plans:<br/>- [Windows 10/11 Enterprise E5](/windows/deployment/deploy-enterprise-licenses)<br/>- [Microsoft 365 E5](https://www.microsoft.com/microsoft-365/enterprise/e5?activetab=pivot%3aoverviewtab)<br/>- Microsoft 365 A5<br/>- Microsoft 365 E5 Security<br/>- [Microsoft 365 E3](https://www.microsoft.com/microsoft-365/enterprise/e3?activetab=pivot%3aoverviewtab)<br/>- [Microsoft Defender for Endpoint Plan 1 or Plan 2](/defender-xdr/eval-defender-endpoint-overview)<br/>- [Microsoft Defender for Business](/defender-business/mdb-overview)<br/>- [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium)|
-| Portal access | You must have access to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>. |
+| Portal access | You must have access to the [Microsoft Defender portal](https://security.microsoft.com). |
 | Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](microsoft-defender-antivirus-updates.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later <br/>- For information on macOS availability, see [Network Protection for macOS](network-protection-macos.md)<br/>- For information on Linux availability, see [Network Protection for Linux](network-protection-linux.md)|
 | Browser | Your organization's devices must be running one of the following browsers: <br/>- Microsoft Edge<br/>- Google Chrome<br/>- Mozilla FireFox<br/>- Brave<br/>- Opera<br/>- Internet Explorer|
 | Related protection | [Windows Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) and [network protection](network-protection.md) must be enabled on your organization's devices. |
@@ -81,7 +81,7 @@ The result is that categories 1-4 are all blocked, as illustrated in the followi
 
 ## Turn on web content filtering
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> and sign in.
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.
 
 2. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced Features**.
 
@@ -110,7 +110,7 @@ Policies can be deployed to block any of the following parent or child categorie
 
 To add a new policy, follow these steps:
 
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, choose **Settings** > **Endpoints** > **Web content filtering** > **+ Add policy**.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), choose **Settings** > **Endpoints** > **Web content filtering** > **+ Add policy**.
 
 2. Specify a name.
 
@@ -143,7 +143,7 @@ It's possible to override the blocked category in web content filtering to allow
 
 To define a custom indicator, follow these steps:
 
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, go to **Settings** \> **Endpoints** \> **Indicators** \> **URL/Domain** \> **Add Item**.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** \> **Endpoints** \> **Indicators** \> **URL/Domain** \> **Add Item**.
 
 2. Enter the domain of the site.
 
@@ -189,7 +189,7 @@ You can access the **Report details** for each card by selecting a table row or
 
 - **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
 
-- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
+- **Domains**: Lists the web domains that have been accessed or blocked in your organization.
 
 - **Device groups**: Lists all the device groups that have generated web activity in your organization
 
@@ -208,4 +208,5 @@ If you are using Microsoft 365 Business Premium or Microsoft Defender for Busine
 - [Monitor web security](web-protection-monitoring.md)
 - [Respond to web threats](web-protection-response.md)
 - [Requirements for Network Protection](web-content-filtering.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -14,7 +14,7 @@ ms.collection:
 description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 02/12/2025
+ms.date: 02/18/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -47,7 +47,8 @@ Admins configure user reported messages to go to a specified reporting mailbox,
     - **Semi-Annual Channel (Preview)**: Release 2502, build 16.0.18526.20024 or later.
     - **Semi-Annual Channel**: Release 2502, build 16.0.18526.20024 or later.
   - Outlook for Mac version 16.89 (24090815) or later.
-  - Outlook for iOS and Android version 4.2446 or later.
+  - Outlook for iOS version 4.2508 or later.
+  - Outlook for Android version 4.2446 or later.
   - The new Outlook for Windows.
   - Outlook on the web.
 
 
@@ -68,7 +68,7 @@ Automatic attack disruption uses Microsoft-based XDR response actions. Examples
 - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution. The disable user action behaves differently depending on how the user is hosted in your environment.
   - When the user account is hosted in Active Directory: Defender for Identity triggers the disable user action on domain controllers running the Defender for Identity agent.
   - When the user account is hosted in Active Directory and is synced on Microsoft Entra ID:  Defender for Identity triggers the disable user action via onboarded domain controllers. Attack disruption also disables the user account on the Entra ID synced account.
-  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disable the user account on the Entra ID synced account.
+  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disables the user account on the Entra ID synced account.
 
 > [!NOTE]
 > Disabling the user account in Microsoft Entra ID is not dependent on the deployment of Microsoft Defender for Identity. 
@@ -79,18 +79,18 @@ For more information, see [remediation actions](m365d-remediation-actions.md) in
 
 ### Automated response actions for SAP with Microsoft Sentinel
 
-If you're using the [unified security operations platform](/unified-secops-platform/microsoft-sentinel-onboard) and you deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP.
+If you [onboarded Microsoft Sentinel to the Defender portal](microsoft-sentinel-onboard.md) and deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP.
 
-For example, deploy attack disruption for SAP to contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack. 
+For example, deploy attack disruption for SAP to contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.
 
-After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption. 
+After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption.
 
 To use attack disruption for SAP, deploy a new data connector agent, or make sure that your agent is using version 90847355 or higher, and then assign and apply the required Azure and SAP roles. For more information, see:
 
 - [Deploy and configure the container hosting the SAP data connector agent](/azure/sentinel/sap/deploy-data-connector-agent-container)
 - [Update Microsoft Sentinel's SAP data connector agent](/azure/sentinel/sap/update-sap-data-connector), especially [Update your system for automatic attack disruption](/azure/sentinel/sap/update-sap-data-connector#update-your-data-connector-agent-for-attack-disruption).
 
-While you configure attack disruption in the Azure portal and your SAP system, automatic attack disruption itself surfaces only in the unified security operations platform in the Microsoft Defender portal.
+While you configure attack disruption in the Azure portal and your SAP system, automatic attack disruption itself surfaces only in the Microsoft Defender portal.
 
 ## Identify when an attack disruption happens in your environment
 
 
@@ -56,7 +56,7 @@ Customer data stored by integrated services might also be stored in the followin
 
 Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in **Advanced hunting** queries. 
 
-In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft's unified security operations platform with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
+In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft Sentinel with Microsoft's unified security operations platform](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
 
 Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.