Merge branch 'main' into docs-editor/post-ti-indicator-1760547256

Author: padmagit77

defender-endpoint/configure-endpoints-script.md

@@ -39,6 +39,9 @@ Check out [Identify Defender for Endpoint architecture and deployment method](de
 
 1. Open the configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
+> [!NOTE]
+> If the Endpoints section isn't visible, try accessing other Defender features (such as Incidents or Hunting) or wait a few minutes for the environment to initialize. Also ensure you have the required roles (like Security Administrator) and appropriate licensing.
+
    1. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Onboarding**.
 
    2. Select Windows 10 or Windows 11 as the operating system.

defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md

@@ -109,7 +109,6 @@ The following table lists solutions:
 |Solution|Description|
 |:---|:---|
 | Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check.|
-| Solution (Preferred 2) | 1. Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **Certificate Path Validation Settings**.<br/>2. Select the **Network Retrieval** tab, and then select **Define these policy settings**.<br/>3. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box.<br/><br/> Here are some useful resources: <br/> - [Configure Trusted Roots and Disallowed Certificates](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11))<br/>- [Improving application Start up time: GeneratePublisherEvidence setting in Machine.config](/archive/blogs/amolravande/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config)|
 | Work-around solution (Alternative) <br/> *This is not a best practice since you're no longer checking for revoked certificates or certificate pinning.*| Disable CRL check only for SPYNET. <br/> Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won't impact other services.<br/><br/> Go to **HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet**, and then set `SSLOptions (dword)` to `2` (hex). <br/>For reference, here are possible values for the DWORD: <br/> - `0 – disable pinning and revocation checks` <br/> - `1 – disable pinning` <br/>  - `2 – disable revocation checks only` <br/> - `3 – enable revocation checks and pinning (default)` |
 
 ## Attempt to download a fake malware file from Microsoft

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -98,13 +98,10 @@ Improved Defender update reliability by allowing non-admin processes to trigger
 
 - Enhanced Passive Mode Scanning Behavior
 When Microsoft Defender is in Passive mode, an Antivirus scan will not occur after a signature update , unless specifically set in the policy setting DisableScanOnUpdate.
-
 - Improved Tamper Protection Handling
 Optimized the configuration process for Tamper Protection in multi-threaded environments to ensure more reliable behavior.
-
 - Digital Signature Verification Performance Boost
 Enhanced the efficiency of digital signature verification to improve overall system performance.
-
 - Refined ASR Rule Exclusion Processing
 Refined exclusion processing and resolved false positives for the Attack Surface Reduction (ASR) rule: Block Office applications from injecting code into other processes.
 

defender-endpoint/supported-capabilities-by-platform.md

@@ -55,8 +55,8 @@ The following table gives information about the supported Microsoft Defender for
 |[Device response capabilities: collect investigation package ](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)  |  ![Yes.](media/svg/check-yes.svg)  |
 |[Device response capabilities: run antivirus scan](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)        |  ![Yes.](media/svg/check-yes.svg)         |
 |[Device isolation](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)    |
-|File response capabilities: collect file, deep analysis  | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) |  ![Yes.](media/svg/check-yes.svg) |
-|File response capabilities: block file, stop, and quarantine processes  | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![No](media/svg/check-no.svg) |  ![No](media/svg/check-no.svg) |
+|[File response capabilities: collect file, deep analysis](respond-file-alerts.md)  | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg) |  ![Yes.](media/svg/check-yes.svg) |
+|[File response capabilities: block file, stop, and quarantine processes](respond-file-alerts.md)  | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![No](media/svg/check-no.svg) |  ![No](media/svg/check-no.svg) |
 |[Live Response](live-response.md)       | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg) |  ![Yes.](media/svg/check-yes.svg)       |  ![Yes.](media/svg/check-yes.svg)      |
 
 > [!NOTE]

defender-endpoint/web-threat-protection.md

@@ -27,47 +27,29 @@ appliesto:
 
 
 
-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you are blocked because they're in your [custom indicator list](indicators-overview.md).
+Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you've blocked because they're in your [custom indicator list](indicators-overview.md).
 
 > [!NOTE]
 > It might take up to two hours for devices to receive new custom indicators.
 
 ## Prerequisites
 
-Web protection uses network protection to provide web browsing security on Microsoft Edge and non-Microsoft web browsers.
+Web threat protection uses network protection to provide web browsing security in Edge (excepting Windows devices), non-Microsoft web browsers and nonbrowser processes. On Windows devices, web threat protection in Edge uses Microsoft Defender SmartScreen and network protection isn't required to be enabled. 
+
+To turn on Microsoft Defender SmartScreen in Edge: [Configure Microsoft Defender SmartScreen](/deployedge/microsoft-edge-policies#smartscreenenabled).
 
 To turn on network protection on your devices:
 
 - Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline)
 - Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
 
 > [!NOTE]
-> If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+> If you set network protection to **Audit only**, blocking is unavailable. Also, you are able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
 
 ## Configure web threat protection
 
-The following procedure describes how to configure web threat protection using the Microsoft Intune admin center.
-
-1. Go to the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)), and sign in.
- 
-2. Choose **Endpoint security** \> **Attack surface reduction**, and then choose **+ Create policy**.
-
-3. Select a platform, such as **Windows 10 and later**, select the **Web protection** profile, and then choose **Create**. 
-
-4. On the **Basics** tab, specify a name and description, and then choose **Next**.
-
-5. On the **Configuration settings** tab, expand **Web Protection**, specify your settings, and then choose **Next**.
-
-   - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it works in your environment. In audit mode, network protection doesn't prevent users from visiting sites or domains, but it does track detections as events. 
-   - To protect users from potential phishing scams and malicious software, turn **Require SmartScreen for Microsoft Edge Legacy** to **Yes**.
-   - To prevent users from bypassing warnings about potentially malicious sites, set **Block malicious site access** to **Yes**.
-   - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** to **Yes**. 
-
-6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you aren't using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-
-7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**.
+The legacy **Web protection** policy in Intune has been deprecated and web threat protection will be enabled if the prerequisites are met.
 
-8. On the **Review + create** tab, review your policy settings, and then choose **Create**.
 
 ## Related articles
 

defender-for-cloud-apps/in-browser-protection.md

@@ -1,7 +1,7 @@
 ---
 title: In-browser protection with Microsoft Edge for Business | Microsoft Defender for Cloud Apps
 description: Learn about using in-browser protection with Microsoft Defender for Cloud Apps session policies and Microsoft Edge for Business.
-ms.date: 01/26/2025
+ms.date: 10/20/2025
 ms.topic: how-to
 #customerIntent: As a Defender for Cloud Apps admin, I want to learn about the user experience with in-browser protection.
 ---
@@ -12,6 +12,9 @@ Defender for Cloud Apps users who use Microsoft Edge for Business or Purview Dat
 
 Protected users experience a smooth experience with their cloud apps, without latency or app compatibility issues, and with a higher level of security protection.
 
+> [!NOTE]
+> In-browser protection with Microsoft Edge is only available to Microsoft Defender for Cloud Apps commercial tenants.
+
 ## In-browser protection requirements
 
 To use in-browser protection, users must be in their browser's work profile.
@@ -27,8 +30,8 @@ To use in-browser protection, users must also have the following environmental r
 |**Operating systems**|Windows 10 or 11, macOS|
 |**Identity platform**|Microsoft Entra ID|
 |**Microsoft Edge for Business versions**|The last two stable versions. For example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125. <br> For more information, see [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).|
-|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning are not supported for Microsoft Edge in-browser protection|
-|**Supported Purview DLP policies**|Please see: [Activities you can monitor and take action on in the browser](/purview/dlp-browser-dlp-learn#activities-you-can-monitor-and-take-action-on) <br>Purview policies are always served by in-browser protection.|
+|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning aren't supported for Microsoft Edge in-browser protection|
+|**Supported Purview DLP policies**|See: [Activities you can monitor and take action on in the browser](/purview/dlp-browser-dlp-learn#activities-you-can-monitor-and-take-action-on) <br>Purview policies are always served by in-browser protection.|
 
 All other scenarios are served automatically with the standard reverse proxy technology, including user sessions from browsers that don't support in-browser protection, or for policies not supported by in-browser protection.
 
@@ -53,7 +56,7 @@ Also, the `.mcas.ms` suffix doesn't appear in the browser address bar with in-br
 
 ### Work profile enforcement for in-browser protection
 
-To access a work resource in *contoso.com* with in-browser protection, you must sign in with your `[email protected]` profile. If you try to access the work resource from outside the work profile, you will be prompted to switch to the work profile or create one if it doesn't exist. If access from the Microsoft Edge work profile isn't enforced, you can also choose to continue with your current profile, in which case you're served by the [reverse proxy architecture](proxy-intro-aad.md).
+To access a work resource in *contoso.com* with in-browser protection, you must sign in with your `[email protected]` profile. If you try to access the work resource from outside the work profile, you'll be prompted to switch to the work profile or create one if it doesn't exist. If access from the Microsoft Edge work profile isn't enforced, you can also choose to continue with your current profile, in which case you're served by the [reverse proxy architecture](proxy-intro-aad.md).
 
 If you decide to create a new work profile, you'll see a prompt with the **Allow my organization to manage my device** option. In such cases, you don't need to select this option to create the work profile or benefit from in-browser protection.
 

defender-for-cloud-apps/real-time-agent-protection-during-runtime.md

@@ -36,14 +36,16 @@ This capability adds another security layer on top of Microsoft Copilot Studio,
 
 Before enabling real-time agent protection during runtime, make sure:
 
-- You have a valid Microsoft Defender for Cloud Apps license (included in Microsoft 365 E5 Security).
+- You have a valid Microsoft Defender for Cloud Apps license.
 
 - You have Security Administrator privileges in the Microsoft Defender portal.
 
 
 > [!NOTE]
 > The onboarding process for real-time protection during agent runtime involves configuration in Power Platform and collaboration with other administrators.
-
+> 
+> [!IMPORTANT]
+> This feature is currently in preview and included with your Microsoft Defender for Cloud Apps license at no extra cost. Licensing requirements may change when the feature becomes generally available. If that happens, the feature will be disabled, and you will be notified should you wish to re-enable it under the new license.
 
 ## Turn on real-time protection during agent runtime
 

defender-for-identity/deploy/activate-sensor.md

@@ -6,7 +6,7 @@ ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Activate the Defender for Identity sensor v3.x on a domain controller (Preview)
+# Activate the Defender for Identity sensor v3.x on a domain controller
 
 For complete protection of your on-premises deployment, we recommend activating the Defender for Identity sensor on all applicable servers. This article describes onboarding for new domain controllers running Windows Server 2019 or later. For domain controllers running older operating systems, we recommend [deploying the classic Defender for Identity sensor](install-sensor.md).
 

defender-for-identity/deploy/active-directory-federation-services.md

@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
 
 # Configure sensors for AD FS, AD CS, and Microsoft Entra Connect
 
-Install Defender for Identity sensors on Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Microsoft Entra Connect servers to help protect them from on-premises and hybrid attacks. This article describes the installation steps.
+Install Defender for Identity sensors on Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Microsoft Entra Connect servers to help protect them from on-premise and cloud attacks. This article describes the installation steps.
 
 These considerations apply:
 

defender-for-identity/deploy/deploy-defender-identity.md

@@ -22,7 +22,7 @@ Identify your architecture and your requirements, and then use the table below t
 
 |Server configuration   |Server Operating System  |Recommended deployment |
 |---------|---------|---------|
-|Domain controller     | Windows Server 2019 or later with the [June 2025 Cumulative Update](https://support.microsoft.com/en-us/topic/june-10-2025-kb5060526-os-build-20348-3807-4e9453c4-6602-48ea-b349-689cd66dfdb9) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
+|Domain controller     | Windows Server 2019 or later with the [June 2025 Cumulative Update](https://support.microsoft.com/en-us/topic/june-10-2025-kb5060526-os-build-20348-3807-4e9453c4-6602-48ea-b349-689cd66dfdb9) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
 |Domain controller      |Windows Server 2016 or later         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
 |[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    Windows Server 2016 or later      |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
 |[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  Windows Server 2016 or later        |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
@@ -34,7 +34,6 @@ Identify your architecture and your requirements, and then use the table below t
 > - Requires that Defender for Endpoint is deployed
 > - Doesn't currently support VPN integration
 > - Doesn't currently support ExpressRoute
-> - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
 
 Once you've evaluated your infrastructure and requirements, follow the instructions for deploying the sensor based on the version you need.