Merge pull request #2409 from MicrosoftDocs/main

Publish main to live, 01/10/25, 3:30 PM PT

defender-endpoint/attack-surface-reduction.md

@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 05/02/2024
+ms.date: 01/10/2025
 ---
 
 # Attack surface reduction rules overview
@@ -79,7 +79,7 @@ For information about configuring per-rule exclusions, see the section titled **
 
 ## Warn mode for users
 
-(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
+Whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
 
 Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
 

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/07/2025
+ms.date: 01/10/2025
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -45,7 +45,7 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 
 > [!NOTE]
 > Linux distribution using system manager supports both SystemV and Upstart.
-> Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). 
+> Microsoft Defender for Endpoint on Linux agent is independent from [Operation Management Suite (OMS) agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). 
 > Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
 
 ### System requirements
@@ -106,30 +106,30 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
   
 - List of supported filesystems for RTP, Quick, Full, and Custom Scan.
 
-   |RTP, Quick, Full Scan| Custom Scan|
-   |---|---|
-   |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
-   |`ecryptfs`|`Efs`|
-   |`ext2`|`S3fs`|
-   |`ext3`|`Blobfuse`|
-   |`ext4`|`Lustr`|
-   |`fuse`|`glustrefs`|
-   |`fuseblk`|`Afs`|
-   |`jfs`|`sshfs`|
-   |`nfs` (v3 only)|`cifs`|
-   |`overlay`|`smb`|
-   |`ramfs`|`gcsfuse`|
-   |`reiserfs`|`sysfs`|
-   |`tmpfs`||
-   |`udf`||
-   |`vfat`||
-   |`xfs`||
-    
+ |RTP, Quick, Full Scan| Custom Scan|
+ |---|---|
+ |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
+ |`ecryptfs`|`Efs`|
+ |`ext2`|`S3fs`|
+ |`ext3`|`Blobfuse`|
+ |`ext4`|`Lustr`|
+ |`fuse`|`glustrefs`|
+ |`fuseblk`|`Afs`|
+ |`jfs`|`sshfs`|
+ |`nfs` (v3 only)|`cifs`|
+ |`overlay`|`smb`|
+ |`ramfs`|`gcsfuse`|
+ |`reiserfs`|`sysfs`|
+ |`tmpfs`||
+ |`udf`||
+ |`vfat`||
+ |`xfs`||
+
   > [!NOTE]
-  > Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+  > Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient extended Berkeley Packet Filter (eBPF) technology.
   > If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, then Audit framework (`auditd`) must be enabled on your system.
   > If you're using Auditd, then system events captured by rules added to `/etc/audit/rules.d/` adds to `audit.log`(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux are tagged with the `mdatp` key.
-
+  
 - /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md).
 
 ### Installation instructions

defender-endpoint/minimum-requirements.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: pahuijbr
 ms.localizationpriority: medium
-ms.date: 01/06/2025
+ms.date: 01/10/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -85,7 +85,7 @@ Supported versions of Windows include:
 - Windows 10 Education
 - Windows 10 Pro
 - Windows 10 Pro Education
-- Windows server
+- Windows Server
   - Windows Server 2012 R2
   - Windows Server 2016
   - Windows Server, version 1803 or later
@@ -130,23 +130,23 @@ To add anti-malware protection to these older operating systems, you can use [Sy
 
 The minimum hardware requirements for Defender for Endpoint on Windows devices are the same as the requirements for the operating system itself (that is, they aren't in addition to the requirements for the operating system).
 
-- Cores: Two minimum, four preferred
-- Memory: One GB minimum, four preferred
+- Cores: 2 minimum, 4 preferred
+
+- Memory: 1GB minimum, 4 GB preferred
 
 ### Network and data storage and configuration requirements
 
 When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
 
 > [!NOTE]
->
 > - You can't change your data storage location after the first-time setup.
 > - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
 
 #### IP stack
 
-IPv4 (Internet Protocol Version 4) stack must be enabled on devices for communication to the Defender for Endpoint cloud service to work as expected.
+Internet Protocol Version 4 (IPv4) stack must be enabled on devices for communication to the Defender for Endpoint cloud service to work as expected.
 
-Alternatively, if you must use an IPv6-only configuration, consider adding dynamic IPv6/IPv4 transitional mechanisms, such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any other network reconfiguration.
+Alternatively, if you must use an Internet Protocol Version 6 (IPv6) only configuration, consider adding dynamic IPv6/IPv4 transitional mechanisms, such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any other network reconfiguration.
 
 #### Internet connectivity
 

defender-endpoint/troubleshoot-asr.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 11/05/2024
+ms.date: 01/10/2025
 ms.reviewer:
 manager: deniseb
 ms.custom: asr
@@ -25,11 +25,9 @@ search.appverid: met150
 
 
 **Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink)
+- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender XDR](/defender-xdr)
 
 When you use [attack surface reduction rules](attack-surface-reduction.md) you might run into issues, such as:
 
@@ -72,7 +70,7 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct
 
 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to `Enabled`.
 
-   If a rule isn't blocking a file or process that you're expecting it should block, first check to see if audit mode is enabled. Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed. 
+If a rule isn't blocking a file or process that you're expecting it should block, first check to see if audit mode is enabled. Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed. 
 
 If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
 
@@ -86,16 +84,16 @@ If the attack surface reduction rule is blocking something that it shouldn't blo
 To add an exclusion, see [Customize attack surface reduction](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules).
 
 > [!IMPORTANT]
-> You can specify individual files and folders to be excluded, but you cannot specify individual rules.
-> This means any files or folders that are excluded will be excluded from all ASR rules.
+> You can specify individual files and folders to be excluded, but you can't specify individual rules.
+> This means any files or folders that are excluded are excluded from all ASR rules.
 
 ## Report a false positive or false negative
 
 Use the [Microsoft Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/support/report-exploit-guard) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).
 
 ## Collect diagnostic data for file submissions
 
-When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues.
 
 1. Open Command Prompt as an administrator and open the Windows Defender directory:
 

defender-office-365/TOC.yml

@@ -444,7 +444,7 @@
            items:
            - name: AIR overview
              href: air-about.md
-           - name: How automated investigation and response works
+           - name: AIR examples
              href: air-examples.md
          - name: Review and approve (or reject) pending actions
            href: air-review-approve-pending-completed-actions.md

defender-office-365/address-compromised-users-quickly.md

@@ -47,7 +47,7 @@ When a user account is compromised, alerts are triggered. And in some cases, tha
 - [View details about automated investigations](#view-details-about-automated-investigations)
 
 > [!IMPORTANT]
-> You must have appropriate permissions to perform the following tasks. See [Required permissions to use AIR capabilities](air-about.md#required-permissions-to-use-air-capabilities).
+> You must have appropriate permissions to perform the following tasks. For more information, see [Required permissions to use AIR capabilities](air-about.md#required-permissions-and-licensing-for-air).
 
 Watch this short video to learn how you can detect and respond to user compromise in Microsoft Defender for Office 365 using Automated Investigation and Response (AIR) and compromised user alerts.
 
@@ -81,7 +81,7 @@ To learn more, see [View details of an investigation](air-view-investigation-res
 
 ## Next steps
 
-- [Review the required permissions to use AIR capabilities](air-about.md#required-permissions-to-use-air-capabilities)
+- [Review the required permissions to use AIR capabilities](air-about.md#required-permissions-and-licensing-for-air)
 
 - [Find and investigate malicious email in Office 365](threat-explorer-investigate-delivered-malicious-email.md)