Merge pull request #1835 from MicrosoftDocs/main

Publish main to live, Thursday 10:30 AM PST, 11/07

defender-endpoint/troubleshoot-collect-support-log.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 09/03/2024
+ms.date: 11/07/2024
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -34,8 +34,10 @@ This article provides instructions on how to run the tool via Live Response on W
 1. Download and fetch the required scripts available from within the **Tools** subdirectory of the [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/BetaMDEAnalyzer). 
 
    For example, to get the basic sensor and device health logs, fetch `..\Tools\MDELiveAnalyzer.ps1`.
-
-   If you also require Microsoft Defender Antivirus support logs (`MpSupportFiles.cab`), then fetch `..\Tools\MDELiveAnalyzerAV.ps1`.
+   - If you require additional logs related to Microsoft Defender Antivirus, then use `..\Tools\MDELiveAnalyzerAV.ps1`.
+   - If you require [Microsoft Endpoint Data Loss Prevention](/purview/endpoint-dlp-learn-about) related logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`.
+   - If you require network and [Windows Filter Platform](/windows-hardware/drivers/network/windows-filtering-platform-architecture-overview) related logs, then use `..\Tools\MDELiveAnalyzerNet.ps1`.
+   - If you require [Process Monitor](/sysinternals/downloads/procmon) logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`.
 
 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
 

defender-vulnerability-management/defender-vulnerability-management-capabilities.md

@@ -13,7 +13,7 @@ f1.keywords: NOCSH
 ms.collection: 
 - m365-security
 - Tier1
-ms.date: 08/14/2024
+ms.date: 11/07/2024
 ---
 
 # Compare Microsoft Defender Vulnerability Management plans and capabilities
@@ -100,7 +100,10 @@ The table below shows the availability of Defender Vulnerability Management capa
 |[Digital certificate assessment](tvm-certificate-inventory.md)|-|✔|
 |[Network share analysis](tvm-network-share-assessment.md)|-|✔|
 |[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|✔|
-|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|✔|
+|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|✔**see note** <sup>2</sup>|
+
+> [!IMPORTANT]
+> <sup>2</sup> The Windows authenticated scan feature will be deprecated by the end of November 2025 and will not be supported beyond that date. More information about this change are in the [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs).
 
 ## Next steps
 

defender-vulnerability-management/defender-vulnerability-management-faq.md

@@ -1,6 +1,6 @@
 ---
 title: Microsoft Defender Vulnerability Management frequently asked questions
-description: Find answers to frequently asked questions (FAQs) about MDVM
+description: Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulnerability Management.
 ms.service: defender-vuln-mgmt
 f1.keywords:
 - NOCSH
@@ -14,7 +14,7 @@ ms.collection:
 - Tier1
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 06/02/2022
+ms.date: 11/07/2024
 ---
 
 # Microsoft Defender Vulnerability Management frequently asked questions
@@ -26,16 +26,17 @@ Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulne
 - [Block vulnerable applications FAQs](#block-vulnerable-applications-faqs)
 - [Security baselines FAQs](#security-baselines-faqs)
 - [Defender Vulnerability Management general FAQs](#defender-vulnerability-management-general-faqs)
+- [Windows authenticated scan deprecation FAQs](#windows-authenticated-scan-deprecation-faqs)
 
 ## Defender Vulnerability Management licensing FAQs
 
 ### What license does the user need to benefit from Defender Vulnerability Management capabilities?
 
 Microsoft Defender Vulnerability Management is available via two services:
 
-1. Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Microsoft Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see [Defender Vulnerability Management Add-on](get-defender-vulnerability-management.md#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
+1. Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see [Defender Vulnerability Management Add-on](get-defender-vulnerability-management.md#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
 
-2. For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 90-day trial, see [Defender Vulnerability Management Standalone](get-defender-vulnerability-management.md#try-defender-vulnerability-management-standalone).
+2. Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. This is recommended for new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers. To sign up for the free 90-day trial, see [Defender Vulnerability Management Standalone](get-defender-vulnerability-management.md#try-defender-vulnerability-management-standalone).
 
 ### Do I need to assign Defender Vulnerability Management licenses to users in my organization as instructed in the admin center?
 
@@ -58,18 +59,18 @@ For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 custo
 
 ### How is the service provisioned/deployed?
 
-Once a customer is onboarded on to the free-trial experience, Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization.
+Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization once a customer is onboarded to the free-trial experience.
 
-### If a customer is in public preview, what will happen to their premium capabilities if I don't sign up for a free trial?
+### If a customer is in public preview, what happens to their premium capabilities if they don't sign up for a free trial?
 
-The new capabilities will be available only to customers who onboard a trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
+The new capabilities are available only to customers who onboard a trial. Customers who aren't onboarded lose access to these capabilities. Blocked applications are immediately unblocked. Security baseline profiles may be stored for a short period before being deleted.
 
 ### How long does the trial last and what happens at the end of my trial?
 
 - The Defender Vulnerability Management add-on trial lasts for 90 days.
 - The Defender Vulnerability Management Standalone trial lasts for 90 days.
 
-After your trial ends, you'll have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you'll retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
+After your trial ends, you have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
 
 After 180 days, your license will be deactivated and your profiles will be deleted.
 
@@ -84,7 +85,7 @@ Examples of recommendations where you might not see a mitigation action (such as
 - Recommendations related to operating systems
 - Recommendations related to apps for macOS and Linux
 
-It's also possible that your organization has reached the maximum indicator capacity of 15,000. If this is the case, you will need to free up space by deleting old indicators. To learn more, see [Manage indicators](/defender-endpoint/indicator-manage).
+It's also possible that your organization reached the maximum indicator capacity of 15,000. If so, you need to free up space by deleting old indicators. To learn more, see [Manage indicators](/defender-endpoint/indicator-manage).
 
 ### Does blocking vulnerable apps work on all devices?
 
@@ -96,16 +97,16 @@ This feature is supported on Windows devices (1809 or later) with the latest Win
 
 There's currently support for:
 
-- Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and above.
+- Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later.
 - Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
 
 Upcoming support:
 
-- Microsoft benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and above will be available in an upcoming release.
+- Microsoft benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later will be available in an upcoming release.
 
 ### What operating systems can I measure using security baseline assessments?
 
-Currently Windows is supported, but coverage will be expanded to cover more operating systems such as Mac and Linux.
+Currently Windows is supported, but coverage will be expanded to more operating systems like Mac and Linux.
 
 ## Defender Vulnerability Management general FAQs
 
@@ -119,4 +120,46 @@ Microsoft Defender Vulnerability Management is available as a vulnerability mana
 
 ### Can I turn on Defender Vulnerability Management capabilities on a subset of devices in my organization?
 
-There isn't a way to selectively light up the Defender Vulnerability Management assessment capabilities (block vulnerable applications, browser extension, certificate inventory, and network share assessment) on a subset of devices in a given tenant.
+Capabilities like blocking vulnerable applications, browser extension, certificate inventory, and network share assessment can't be selectively turned on for a subset of devices in a given tenant.
+
+## Windows authenticated scan deprecation FAQs
+
+### When does the deprecation process begin and end?
+
+The [Windows authenticated scan](windows-authenticated-scan.md) deprecation process begins on November 2024 and will last for 12 months, concluding on November 30, 2025. During this period, support is limited to existing customers only. New customers will not have access to this capability.
+
+### Why is this product being deprecated?
+
+The deprecation is to streamline offerings and focus on features that provide greater value to customers. This change allows our teams to allocate resources to innovations that better meet customer needs. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance.
+
+### When will the product be officially deprecated?
+
+Windows authenticated scan will officially be deprecated on November 30, 2025. After this date, the capability will no longer be supported nor be available to customers.
+
+### What happens to my data after the product is deprecated?
+
+All user data is handled according to our [data storage and privacy policy](tvm-prerequisites.md#data-storage-and-privacy). We recommend that you export any important data before the deprecation date.
+
+### Will the product be replaced?
+
+There is no direct replacement for the Windows authenticated scan at this time. However, we are continuously evaluating our offerings and exploring opportunities for future development. We appreciate your understanding. Stay tuned for updates on new features and capabilities.
+
+### Will support still be available after the deprecation date?
+
+The development team will assist with any support tickets regarding Windows authenticated scan until the end of November 2025. However, no new features will be deployed. Support for the deprecated product ends on November 30, 2025. We encourage you to reach out with any questions before this date.
+
+### What steps should I take to prepare for the deprecation?
+
+We recommend reviewing your current usage of the Windows authenticated scan and identifying any critical data you rely on. Ensure that you export any important data before the deprecation date.
+
+### Will I receive notifications about the deprecation process?
+
+Yes. We will send out regular updates and reminders via the Message Center to all affected customers as the deprecation date approaches. Ensure your contact information is up to date in our system to receive these notifications.
+
+### Can I still access the product during the deprecation period?
+
+Yes. You can continue to access the Windows authenticated scan and use its features until the deprecation date of November 30, 2025. However, note that new customers will not be able to gain access during this time.
+
+### How can I provide feedback about this change?
+
+You can send your feedback through the relevant channels. We value your input and your feedback helps us improve our future products.

defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md

@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection:
   - m365-security
 ms.topic: conceptual
-ms.date: 07/09/2024
+ms.date: 11/07/2024
 ---
 
 # What's new in Microsoft Defender Vulnerability Management
@@ -21,10 +21,13 @@ This article provides information about new features and important product updat
 > [!TIP]
 > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md).
 
-## July 2024
+## November 2024
+
+- The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, see [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs).
 
-- (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject. 
+## July 2024
 
+- (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject.
 
 ## February 2024
 

defender-vulnerability-management/windows-authenticated-scan.md

@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: conceptual
 ms.service: defender-vuln-mgmt
 ms.localizationpriority: medium
-ms.date: 11/03/2024
+ms.date: 11/07/2024
 ms.collection:
  - m365-security
  - Tier1
@@ -25,7 +25,7 @@ ms.collection:
 - [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
 
 > [!IMPORTANT]
-> This feature will be deprecated by the end of November 2025 and will not be supported beyond that date. Reach out to Microsoft Support for more information or assistance.
+> This feature will be deprecated by the end of November 2025 and will not be supported beyond that date. More information about this change are in the [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs).
 
 Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities. By default, the scan will run every four hours with options to change this interval or have it only run once.
 

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -44,15 +44,19 @@ For editable functions, more options are available when you select the vertical
 - **Delete** – deletes the function
 
 ### Use arg() operator for Azure Resource Graph queries (Preview)
-Preview customers can use the *arg()* operator to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. Read [Create alerts with Azure Resource Graph and Log Analytics](/azure/governance/resource-graph/alerts-query-quickstart?tabs=azure-resource-graph) for more details.
+The *arg()* operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
+
+This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables are not supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 
+
+Read [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview) for more details.
 
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
-```Kusto
-arg("").<Azure-Resource-Graph-table-name>
-```
+For example:
+
+:::image type="content" source="/defender-xdr/media/arg-operator2.png" alt-text="Screenshot of arg operator in advanced hunting." lightbox="/defender-xdr/media/arg-operator2.png":::
 
-You can then, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
+You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
 
 ```Kusto
 arg("").Resources