Merge branch 'main' into mde-mac-overview

Author: emmwalshh

ATPDocs/deploy/remote-calls-sam.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
 > The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
 > 
 > It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.

ATPDocs/troubleshooting-known-issues.md

@@ -1,7 +1,7 @@
 ---
 title: Troubleshooting known issues
 description: Describes how you can troubleshoot issues in Microsoft Defender for Identity.
-ms.date: 09/02/2024
+ms.date: 05/08/2025
 ms.topic: troubleshooting
 ---
 
@@ -117,31 +117,16 @@ The issue can be caused when the trusted root certification authorities certific
 
 Run the following PowerShell cmdlet to verify that the required certificates are installed.
 
-In the following example, use the "DigiCert Baltimore Root" certificate for all customers. In addition, use the "DigiCert Global Root G2" certificate for commercial customers or use the "DigiCert Global Root CA" certificate for US Government GCC High customers, as indicated.
+In the following example the "DigiCert Global Root G2" certificate is for commercial customers and the "DigiCert Global Root CA" certificate for US Government GCC High customers, as indicated.
 
 ```powershell
-# Certificate for all customers
-Get-ChildItem -Path "Cert:\LocalMachine\Root" | where { $_.Thumbprint -eq "D4DE20D05E66FC53FE1A50882C78DB2852CAE474"} | fl
-
 # Certificate for commercial customers
 Get-ChildItem -Path "Cert:\LocalMachine\Root" | where { $_.Thumbprint -eq "df3c24f9bfd666761b268073fe06d1cc8d4f82a4"} | fl
 
 # Certificate for US Government GCC High customers
 Get-ChildItem -Path "Cert:\LocalMachine\Root" | where { $_.Thumbprint -eq "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436"} | fl
 ```
 
-Output for certificate for all customers:
-
-```Output
-Subject      : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
-Issuer       : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
-Thumbprint   : D4DE20D05E66FC53FE1A50882C78DB2852CAE474
-FriendlyName : DigiCert Baltimore Root
-NotBefore    : 5/12/2000 11:46:00 AM
-NotAfter     : 5/12/2025 4:59:00 PM
-Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
-```
-
 Output for certificate for commercial customers certificate:
 
 ```Output
@@ -168,19 +153,14 @@ Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.O
 
 If you don't see the expected output, use the following steps:
 
-1. Download the following certificates to the Server Core machine. For all customers, download the [Baltimore CyberTrust root](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt) certificate.
-
-    In addition:
+1. Download the following certificates to the machine:
 
     - For commercial customers, download the [DigiCert Global Root G2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) certificate
     - For US Government GCC High customers, download the [DigiCert Global Root CA](https://cacerts.digicert.com/DigiCertGlobalRootCA.crt) certificate
 
 1. Run the following PowerShell cmdlet to install the certificate.
 
     ```powershell
-    # For all customers, install certificate
-    Import-Certificate -FilePath "<PATH_TO_CERTIFICATE_FILE>\bc2025.crt" -CertStoreLocation Cert:\LocalMachine\Root
-
     # For commercial customers, install certificate
     Import-Certificate -FilePath "<PATH_TO_CERTIFICATE_FILE>\DigiCertGlobalRootG2.crt" -CertStoreLocation Cert:\LocalMachine\Root
 

CloudAppSecurityDocs/protect-salesforce.md

@@ -118,6 +118,7 @@ This section provides instructions for connecting Microsoft  Defender for Cloud
       * **Manage Users**
       * **[Query All Files](https://go.microsoft.com/fwlink/?linkid=2106480)**
       * **Modify Metadata Through Metadata API Functions**
+      * **View Setup And Configuration**
 
       If these checkboxes aren't selected, you may need to contact Salesforce to add them to your account.
 

defender-endpoint/TOC.yml

@@ -47,8 +47,6 @@
         href: ios-whatsnew.md
       - name: Previous Defender for Endpoint releases (archive)
         href: whats-new-mde-archive.md
-    - name: Minimum requirements
-      href: minimum-requirements.md
     - name: Trial user guide - Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
     - name: Pilot and deploy Defender for Endpoint
@@ -313,7 +311,7 @@
             href: linux-resources.md
         - name: Mobile Threat Defense
           items:
-            - name: Mobile Threat Defense Overview
+            - name: Mobile Threat Defense overview
               href: mtd.md
             - name: Deploy
               items:

defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ author: emmwalshh
 ms.author: ewalsh
 ms.reviewer: yongrhee
 ms.topic: conceptual
-ms.date: 04/03/2024
+ms.date: 05/08/2025
 manager: deniseb
 ms.custom: nextgen
 ms.collection: 

defender-endpoint/device-discovery.md

@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.subservice: onboard
 f1.keywords:
 - NOCSH
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -18,7 +18,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 04/23/2024
+ms.date: 05/08/2025
 ---
 
 # Device discovery overview

defender-endpoint/enable-attack-surface-reduction.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-asr
 ms.custom: admindeeplinkDEFENDER
 search.appverid: met150
-ms.date: 04/30/2025
+ms.date: 05/08/2025
 ---
 
 # Enable attack surface reduction rules
@@ -102,7 +102,7 @@ When adding exclusions, keep these points in mind:
 
 If a conflicting policy is applied via MDM and GP, the setting applied from Group Policy takes precedence.
 
-Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conficts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
+Attack surface reduction rules for managed devices now support behavior for merging settings from different policies to create a policy superset for each device. Only the settings that aren't in conflict are merged, whereas policy conflicts aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile were deployed. 
 
 Attack surface reduction rule merge behavior works as follows:
 
@@ -139,6 +139,7 @@ The following procedures for enabling attack surface reduction rules include ins
 > If you're using Intune on Windows Server 2012 R2 and Windows Server 2016 with the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2), you need to set the following attack surface reduction rules to `Not Configured` because they're not supported on these OS versions. Otherwise, these policies fail to apply:
 > - [Block persistence through Windows Management Instrumentation (WMI) event subscription](/defender-endpoint/attack-surface-reduction-rules-reference#block-persistence-through-wmi-event-subscription)
 > - [Block JavaScript or VBScript from launching downloaded executable content](/defender-endpoint/attack-surface-reduction-rules-reference#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+> - [Block Win32 API calls from Office macro](/defender-endpoint/attack-surface-reduction-rules-reference#block-win32-api-calls-from-office-macros)
 
 #### Endpoint security policy (Preferred)
 

defender-endpoint/enable-controlled-folders.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 - mde-asr
 search.appverid: met150
-ms.date: 03/12/2025
+ms.date: 05/06/2025
 ---
 
 # Enable controlled folder access
@@ -85,7 +85,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi
 
 1. After the policy is created, **Close**.
 
-For more information about Microsoft Configuration Manager and Controlled Folder Access, please visit [Controlled folder access policies and options](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy).
+For more information about Microsoft Configuration Manager and Controlled Folder Access, visit [Controlled folder access policies and options](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy).
 
 ## Group Policy
 

defender-endpoint/host-firewall-reporting.md

@@ -3,11 +3,11 @@ title: Host firewall reporting in Microsoft Defender for Endpoint
 description: Host and view firewall reporting in Microsoft Defender portal.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 04/11/2024
+ms.date: 05/08/2025
 audience: ITPro
 ms.topic: conceptual
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 manager: deniseb
 ms.subservice: asr
 ms.collection: