MicrosoftDocs
diff --git a/‎ATPDocs/remove-inactive-service-account.md‎
Lines changed: 6 additions & 7 deletions b/‎ATPDocs/remove-inactive-service-account.md‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 3 additions & 3 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/android-whatsnew.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/android-whatsnew.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/ios-whatsnew.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/ios-whatsnew.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/linux-whatsnew.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/linux-whatsnew.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/mde-demonstration-amsi.md‎
Lines changed: 124 additions & 13 deletions b/‎defender-endpoint/mde-demonstration-amsi.md‎
Lines changed: 124 additions & 13 deletions
diff --git a/‎defender-endpoint/whats-new-in-microsoft-defender-endpoint.md‎
Lines changed: 3 additions & 6 deletions b/‎defender-endpoint/whats-new-in-microsoft-defender-endpoint.md‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎defender-endpoint/whats-new-mde-archive.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/whats-new-mde-archive.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/windows-whatsnew.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/windows-whatsnew.md‎
Lines changed: 3 additions & 3 deletions
@@ -6,13 +6,13 @@ ms.topic: how-to
 #customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
 ---
 
-# Security Assessment: Remove Inactive Service Accounts (Preview)
+# Security Assessment: Remove Stale Service Accounts (Preview)
 
-This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+This recommendation lists Active Directory service accounts detected as stale within the past 90 days. 
 
-## Why do inactive service accounts pose a risk?
+## Why do stale service accounts pose a risk?
 
-Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Stale service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
 
 This exposure creates several risks:
 
@@ -25,10 +25,9 @@ This exposure creates several risks:
 
 To use this security assessment effectively, follow these steps:
 
-1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
-1. Review the list of exposed entities to discover which of your service account is inactive.
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions) for Remove stale service account.
 
-    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+1. Review the list of exposed entities to discover which of your service accounts are stale and have not performed any login activity in the last 90 days.
 
 1. Take appropriate actions on those entities by removing the service account. For example:
 
 
@@ -42,11 +42,11 @@ Previously, Defender for Identity tenants received Entra ID risk level in the Id
 
 For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
 
-### New security assessment: Remove inactive service accounts (Preview)
+### New security assessment: Remove stale service accounts (Preview)
 
-Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts.
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been stale for the past 90 days, to help you mitigate security risks associated with unused accounts.
 
-For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+For more information, see: Security Assessment: [Remove Stale Service Accounts (Preview)](/defender-for-identity/remove-inactive-service-account)
 
 ### New Graph based API for response actions (preview) 
 
 
@@ -2,10 +2,10 @@
 title: What's new in Microsoft Defender for Endpoint on Android
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Android.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
-manager: deniseb
+manager: bagol
 ms.reviewer: denishdonga
 audience: ITPro
 ms.collection:
 
@@ -2,12 +2,12 @@
 title: What's new in Microsoft Defender for Endpoint on iOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
 ms.date: 08/12/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection: 
 - m365-security
 
@@ -2,12 +2,12 @@
 title: What's new in Microsoft Defender for Endpoint on Linux
 description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
 ms.date: 08/19/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security
 
@@ -2,9 +2,9 @@
 title: What's new in Microsoft Defender for Endpoint on macOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on macOS.
 ms.service: defender-endpoint
-author: paulinbar
-ms.author: painbar
-manager: orspodek
+author: lwainstein
+ms.author: lwainstein
+manager: bagol
 ms.localizationpriority: medium
 ms.date: 08/20/2025
 audience: ITPro
 
@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 ms.topic: how-to
-ms.date: 08/19/2025
+ms.date: 09/01/2025
 search.appverid: met150
 ms.custom: 
 - partner-contribution
@@ -52,17 +52,34 @@ In this demonstration article, you have two engine choices to test AMSI:
    ```powershell
    $testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
    Invoke-Expression $testString
-   ```
+   ```powershell
    
-2. On your device, open PowerShell as an administrator.
+1. On your device, open PowerShell as an administrator.
 
-3. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
+1. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
 
    The result should be as follows:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-powershell-results.png" alt-text="Screenshot showing the results of the AMSI test sample. It should show a threat was detected." lightbox="media/mde-demonstrations-amsi/test-amsi-powershell-results.png":::
+    ```powershell
+       Invoke-Expression : At line:1 char:1
+
+       + AMSI Test Sample: 7e72c3ce-861b-4339-8740-8ac1484c1386
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       This script contains malicious content and has been blocked by your antivirus software.
+
+       At C:\Users\Admin\Desktop\AMSI_PoSh_script.ps1:3 char:1
+
+       + Invoke-Expression $testString
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
+       
+       + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
+        ```
 
-   
 ### Testing AMSI with VBScript
 
 1. Save the following VBScript as `AMSI_vbscript.vbs`:
@@ -74,20 +91,63 @@ In this demonstration article, you have two engine choices to test AMSI:
    WScript.Echo result
    ```
 
-2. On your Windows Device, open Command Prompt as an administrator.
+1. On your Windows Device, open Command Prompt as an administrator.
 
 1. Type `wscript AMSI_vbscript.vbs`, and then press **Enter**.
 
    The result should be as follows:
 
-      :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
+    ```vbscript
+    Windows Script Host
+
+    Script: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+    Line: 3
+
+    Char: 1
+
+    Error: This script contains malicious content and has been blocked by your antivirus software.: 'eval'
 
+    Code: 800A802D
+
+    Source: Microsoft VBScript runtime error
+   ```
 
 ### Verifying the test results
 
 In your protection history, you should be able to see the following information:
 
-:::image type="content" source="media/mde-demonstrations-amsi/verifying-results.png" alt-text="Screenshot showing the AMSI test results. The information should show that a threat was blocked and cleaned." lightbox="media/mde-demonstrations-amsi/verifying-results.png":::
+```vbscript
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files.
+
+Affected items:
+
+amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
+
+or
+
+amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+and/or you might see:
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files
+```
 
 ### Get the list of Microsoft Defender Antivirus threats
 
@@ -101,17 +161,68 @@ You can view detected threats by using the Event log or PowerShell.
 
 3. Look for `event ID 1116`. You should see the following information:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/eventid1116.png" alt-text="Screenshot showing Event ID 1116, which says malware or unwanted software was detected." lightbox="media/mde-demonstrations-amsi/eventid1116.png":::
+```powershell
+
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
+
+For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&t
+
+Name: Virus:Win32/MpTest!amsi
+
+ID: 2147694217
+
+Severity: Severe
+
+Category: Virus
+
+Path: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Users\Admin\Desktop\AMSI_jscri
+
+Detection Origin: Local machine or Unknown
+
+Detection Type: Concrete
+
+Detection Source: System
+
+User: NT AUTHORITY\SYSTEM
 
-##### Use PowerShell
+Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\Sy
+
+Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0
+
+Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
+```
+
+#### Use PowerShell 
 
 1. On your device, open PowerShell.
 
-2. Type the following command: `Get-MpThreat`.
+1. Type the following command: `Get-MpThreat`.
 
    You might see the following results:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/get-mpthreat-results.png" alt-text="Screenshot showing the results of the Get-MpThreat command. It should show that an AMSI threat was detected." lightbox="media/mde-demonstrations-amsi/get-mpthreat-results.png":::
+    ```powershell
+    CategoryID     : 42
+
+    DidThreatExecute : True
+
+    IsActive       : True
+
+    Resources      :
+
+    RollupStatus   : 97
+
+    SchemaVersion  : 1.0.0.0
+
+    SeverityID     : 5
+
+    ThreatID       : 2147694217
+
+    ThreatName     : Virus:Win32/MpTest!amsi
+
+    TypeID         : 0
+
+    PSComputerName :
+    ```
 
 
 ## See also
 
@@ -8,7 +8,7 @@ author: limwainstein
 ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
 ms.date: 08/20/2025
-manager: orspodek
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security
@@ -44,11 +44,8 @@ Learn more:
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
-|[Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview)     |GA         |- Microsoft Defender Core service, now in GA, helps with the stability and performance of Microsoft Defender Antivirus.<br>- Support for Azure Stack HCI OS is rolling out across commercial and government clouds.|
-
-## July 2025
-
-- (Preview) Added support for Azure Stack HCI OS, version 23H2 and later. This support will roll out gradually across all clouds and regions in July.
+|Azure Stack HCI OS support (version 23H2 and later) |Preview |Added support for Azure Stack HCI OS, version 23H2 and later. Support for Azure Stack HCI OS is rolling out across commercial and government clouds. |
+|[Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) |GA |Microsoft Defender Core service, now in GA, helps with the stability and performance of Microsoft Defender Antivirus.|
 
 ## April 2025
 
 
@@ -4,11 +4,11 @@ description: See what features were available for Microsoft Defender for Endpoin
 search.appverid: met150
 ms.service: defender-endpoint
 ms.subservice: reference
-ms.author: ewalsh
-author: emmwalshh
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
 ms.date: 04/04/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection:
 - m365-security
 
@@ -3,11 +3,11 @@ title: What's new in Microsoft Defender for Endpoint on Windows
 description: Learn about the latest feature releases of Microsoft Defender for Endpoint on Windows Client and Server.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: lwainstein
+author: lwainstein
 ms.localizationpriority: medium
 ms.date: 06/11/2025
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection: 
 - m365-security