Merge branch 'main' into WI494055-offboard-devices-mde

Author: DeCohen

.github/workflows/AutoPublish.yml

@@ -7,7 +7,8 @@ permissions:
 
 on:
   schedule:
-    - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
+    # - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time (~Mar-Nov). Scheduling at :25 to account for queuing lag.
+    - cron: "25 3,6,9,12,15,18,21,23 * * *" # Times are UTC based on Standard Time (~Nov-Mar). Scheduling at :25 to account for queuing lag.
 
   workflow_dispatch:
 

defender-endpoint/respond-machine-alerts.md

@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: painbar
 author: paulinbar
 ms.localizationpriority: medium
-ms.date: 09/01/2025
+ms.date: 11/05/2025
 manager: bagol
 audience: ITPro
 ms.collection:
@@ -19,6 +19,7 @@ appliesto:
   - Microsoft Defender for Business
 
 ---
+
 # Take response actions on a device
 
 
@@ -362,7 +363,9 @@ When an identity in your network might be compromised, you must prevent that ide
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
 
 > [!IMPORTANT]
-> Once a **Contain user** action is enforced on a domain controller, it starts a GPO update on the Default Domain Controller policy. A change of a GPO starts a sync across the domain controllers in your environment.  This is expected behavior, and if you monitor your environment for AD GPO changes, you may be notified of such changes. Undoing the **Contain user** action reverts the GPO changes to their previous state, which will then start another AD GPO synchronization in your environment. Learn more about [merging of security policies on domain controllers](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj966251(v=ws.11)#merging-of-security-policies-on-domain-controllers).
+> As part of the active protection provided by Microsoft Defender for Endpoint, a distributed mechanism can apply LSA Policy to prevent compromised users from accessing machines in your organization. Currently, when this policy is applied on Domain Controllers, it may cause Group Policy synchronization activity across domain controllers.
+>
+> We are gradually rolling out a new solution by integrating with new OS APIs. This deployment will be phased and thoroughly tested to ensure stability and security. During this rollout, LSA Policy enforcement on your servers will be temporarily removed to prevent potential GPO sync. This change will remain in effect until the rollout is complete.
 
 ### How to contain a user
 

defender-endpoint/troubleshoot-settings.md

@@ -7,7 +7,7 @@ manager: bagol
 ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.topic: troubleshooting-general
-ms.date: 04/01/2025
+ms.date: 11/06/2025
 ms.subservice: ngp
 ms.localizationpriority: medium
 ms.collection: # Useful for querying on a set of strategic or high-priority content.
@@ -16,11 +16,12 @@ search.appverid: MET150
 f1.keywords: NOCSH
 audience: ITPro
 appliesto:
-  - Microsoft Defender for Business
+- Microsoft Defender for Business
   - Microsoft Defender for Individuals
   - Microsoft Defender Antivirus
 
 ---
+
 # Troubleshoot Microsoft Defender Antivirus settings
 
 
@@ -52,6 +53,9 @@ To remove policy conflicts, here's our current, recommended process:
 
 ## Step 1: Understand the order of precedence
 
+> [!NOTE]
+> Microsoft Defender for Endpoint attach configurations can be overridden by other configuration tools that write to the same registry location.
+
 When policies and settings are configured in multiple tools, in general, here's the order of precedence:
 
 1. Microsoft Defender for Endpoint security settings management