Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into WI473943-account-view-manual-account-correlation

Author: DeCohen

.openpublishing.redirection.defender-endpoint.json

@@ -165,5 +165,10 @@
       "redirect_url": "/defender-xdr/contact-defender-support",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-endpoint/install-defender-endpoint-linux.md",
+      "redirect_url": "/defender-endpoint/mde-linux-prerequisites",
+      "redirect_document_id": false
+    }       
   ]
 }

defender-endpoint/TOC.yml

@@ -263,7 +263,7 @@
             items:
             - name: Prerequisites
               href: mde-linux-prerequisites.md
-            - name: Choose a deployment method
+            - name: Choose a deployment method                       
               items:
               - name: Enabling deployment to a custom location
                 href: linux-custom-location-installation.md

defender-endpoint/configure-proxy-internet.md

@@ -3,8 +3,8 @@ title: Configure your devices to connect to the Defender for Endpoint service us
 description: Learn how to configure your devices to enable communication with the cloud service using a proxy.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -13,12 +13,12 @@ ms.collection:
 - tier1
 ms.topic: how-to
 ms.subservice: onboard
-ms.date: 07/01/2024
+ms.date: 11/09/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
-
 ---
+
 # STEP 2: Configure your devices to connect to the Defender for Endpoint service using a proxy
 
 
@@ -126,7 +126,9 @@ Configure the static proxy using the Group Policy available in Administrative Te
 >
 > For resiliency purposes and the real-time nature of cloud-delivered protection, Microsoft Defender Antivirus caches the last known working proxy. Ensure your proxy solution does not perform SSL inspection, as that breaks the secure cloud connection.
 >
-> Microsoft Defender Antivirus doesn't use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it uses a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the [configured fallback order](manage-protection-updates-microsoft-defender-antivirus.md). If necessary, you can use **Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy auto-config (.pac)** for connecting to the network. If you need to set up advanced configurations with multiple proxies, use **Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server** and prevent Microsoft Defender Antivirus from using a proxy server for those destinations.
+> Microsoft Defender Antivirus doesn't use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it uses a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the [configured fallback order](manage-protection-updates-microsoft-defender-antivirus.md).
+>
+> If necessary, you can use **Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy auto-config (.pac)** for connecting to the network. If you need to set up advanced configurations with multiple proxies, use **Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server** and prevent Microsoft Defender Antivirus from using a proxy server for those destinations.
 > 
 > You can use PowerShell with the `Set-MpPreference` cmdlet to configure these options: 
 >    - `ProxyBypass`

defender-endpoint/mde-linux-prerequisites.md

@@ -1,4 +1,4 @@
----
+---
 title: Prerequisites for Microsoft Defender for Endpoint on Linux
 ms.reviewer: gopkr, pahuijbr, megphapriya
 description: Describes the requirements needed to install and use Microsoft Defender for Endpoint on Linux.
@@ -15,20 +15,19 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/27/2025
+ms.date: 11/11/2025
 ---
 
 # Prerequisites for Microsoft Defender for Endpoint on Linux
 
 > [!TIP]
 > Microsoft Defender for Endpoint on Linux now extends support for Arm64-based Linux servers in GA.
 
-
 This article lists hardware and software requirements for Defender for Endpoint on Linux. For more information about Defender for Endpoint on Linux, such as what's included in this offering, see the following articles:
 
-- [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) 
+- [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
 
-- [What's new in Defender for Endpoint on Linux](linux-whatsnew.md) 
+- [What's new in Defender for Endpoint on Linux](linux-whatsnew.md)
 
 [!INCLUDE [side-by-side-scenarios](includes/side-by-side-scenarios.md)]
 
@@ -70,56 +69,59 @@ For detailed licensing information, see [Product Terms: Microsoft Defender for E
 
 The following Linux server distributions and x64 (AMD64/EM64T) versions are supported:
 
-- Red Hat Enterprise Linux 7.2 and higher 
-- Red Hat Enterprise Linux 8.x 
-- Red Hat Enterprise Linux 9.x 
-- CentOS 7.2 and higher, excluding CentOS Stream 
+- Red Hat Enterprise Linux 7.2 and higher
+- Red Hat Enterprise Linux 8.x
+- Red Hat Enterprise Linux 9.x
+- Red Hat Enterprise Linux 10.x
+- CentOS 7.2 and higher, excluding CentOS Stream
 - CentOS 8.x
-- Ubuntu 16.04 LTS 
-- Ubuntu 18.04 LTS 
-- Ubuntu 20.04 LTS 
-- Ubuntu 22.04 LTS 
-- Ubuntu 24.04 LTS 
-- Debian 9 - 12 
-- SUSE Linux Enterprise Server 12.x 
-- SUSE Linux Enterprise Server 15.x 
-- Oracle Linux 7.2 and higher 
-- Oracle Linux 8.x 
-- Oracle Linux 9.x 
-- Amazon Linux 2 
-- Amazon Linux 2023 
+- Ubuntu 16.04 LTS
+- Ubuntu 18.04 LTS
+- Ubuntu 20.04 LTS
+- Ubuntu 22.04 LTS
+- Ubuntu 24.04 LTS
+- Debian 9 - 12
+- SUSE Linux Enterprise Server 12.x
+- SUSE Linux Enterprise Server 15.x
+- Oracle Linux 7.2 and higher
+- Oracle Linux 8.x
+- Oracle Linux 9.x
+- Amazon Linux 2
+- Amazon Linux 2023
 - Fedora 33-42
-- Rocky 8.7 and higher 
-- Rocky 9.2 and higher 
-- Alma 8.4 and higher 
-- Alma 9.2 and higher 
-- Mariner 2 
+- Rocky 8.7 and higher
+- Rocky 9.2 and higher
+- Alma 8.4 and higher
+- Alma 9.2 and higher
+- Mariner 2
 
 **The following Linux server distributions on ARM64 are now GA:**
 
-- Ubuntu 20.04 ARM64 
-- Ubuntu 22.04 ARM64 
+- Ubuntu 20.04 ARM64
+- Ubuntu 22.04 ARM64
 - Ubuntu 24.04 ARM64
 - Debian 11, 12 ARM64
-- Amazon Linux 2 ARM64 
-- Amazon Linux 2023 ARM64 
+- Amazon Linux 2 ARM64
+- Amazon Linux 2023 ARM64
 - RHEL 8.x ARM64
 - RHEL 9.x ARM64
+- RHEL 10.x ARM64
 - Oracle Linux 8.x ARM64
 - Oracle Linux 9.x ARM64
 - SUSE Linux Enterprise Server 15 (SP5, SP6) ARM64
 
 > [!NOTE]
-> Distributions and versions that aren't explicitly listed above, and custom operating systems, are unsupported (even if they're derived from the officially supported distributions). 
-> Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions. The minimal requirement for the kernel version is `3.10.0-327` or later.
+> Distributions and versions that aren't explicitly listed above, and custom operating systems, are unsupported (even if they're derived from the officially supported distributions).
+> Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions. The minimal requirement for the kernel version is `3.10.0-327` or later.
 
 > [!WARNING]
 > Running Defender for Endpoint on Linux alongside other fanotify-based security solutions is not supported and may lead to unpredictable behavior, including system hangs.
 > If any applications use fanotify in blocking mode, they will appear in the conflicting_applications field of the mdatp health command output.
-> You can still safely take advantage of Defender for Endpoint on Linux by setting antivirus enforcement level to passive. See [Configure security settings in Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences).> **EXCEPTION:** The Linux `FAPolicyD` feature, which also uses Fanotify in blocking mode, is supported with Defender for Endpoint in active mode on RHEL and Fedora platforms, provided that mdatp health reports a healthy status. This exception is based on validated compatibility specific to these distributions. 
-> 
-> 
-## Supported filesystems for real-time protection and quick, full, and custom scans 
+> You can still safely take advantage of Defender for Endpoint on Linux by setting antivirus enforcement level to passive. See [Configure security settings in Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences).> **EXCEPTION:** The Linux `FAPolicyD` feature, which also uses Fanotify in blocking mode, is supported with Defender for Endpoint in active mode on RHEL and Fedora platforms, provided that mdatp health reports a healthy status. This exception is based on validated compatibility specific to these distributions.
+>
+>
+
+## Supported filesystems for real-time protection and quick, full, and custom scans
 
 |Real-time protection and quick/full scans|Custom scans|
 |---|---|
@@ -141,7 +143,7 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 |`xfs`|
 
 > [!NOTE]
-> To scan NFS v3 mount points, make sure to set the `no_root_squash` export option. Without this option, scanning NFS v3 can potentially fail due to lack of permissions. 
+> To scan NFS v3 mount points, make sure to set the `no_root_squash` export option. Without this option, scanning NFS v3 can potentially fail due to lack of permissions.
 
 ## Verify if devices can connect to Defender for Endpoint cloud services
 
@@ -150,16 +152,16 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 2. Connect Defender for Endpoint on Linux through a proxy server by using the following discovery methods:
 
    - Transparent proxy
-   - [Manual static proxy configuration](/defender-endpoint/linux-static-proxy-configuration#installation-time-configuration) 
+   - [Manual static proxy configuration](/defender-endpoint/linux-static-proxy-configuration#installation-time-configuration)
 
 3. Permit anonymous traffic in the previously listed URLs, if a proxy or firewall blocks traffic.
 
-> [!NOTE] 
+> [!NOTE]
 > Configuration for transparent proxies isn't needed for Defender for Endpoint. See [Manual Static Proxy Configuration.](/defender-endpoint/linux-static-proxy-configuration)
 
 > [!WARNING]
-> PAC, WPAD, and authenticated proxies aren't supported. 
-> Use only static or transparent proxies. 
+> PAC, WPAD, and authenticated proxies aren't supported.
+> Use only static or transparent proxies.
 > SSL inspection and intercepting proxies aren't supported for security reasons.
 > Configure an exception for SSL inspection and your proxy server to allow direct data pass-through from Defender for Endpoint on Linux to the relevant URLs without interception.
 > Adding your interception certificate to the global store doesn't enable interception.
@@ -183,7 +185,6 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 > - For DEBIAN, the mdatp package requires `auditd`.
 > - For Mariner, the mdatp package requires `audit`.
 
-
 ## Installation instructions 
 
 There are several methods and tools that you can use to deploy Microsoft Defender for Endpoint on Linux (applicable to AMD64 and ARM64 Linux servers):
@@ -219,4 +220,4 @@ If you experience any installation issues, self-troubleshooting resources are av
 - [Install Defender for Endpoint on Linux to a custom path](linux-custom-location-installation.md)
 
 > [!TIP]
-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)
+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -21,6 +21,7 @@ appliesto:
   - Microsoft Defender for Endpoint Plan 2
 
 ---
+
 # Microsoft Defender for Endpoint on Linux
 
 
@@ -143,4 +144,4 @@ If you're using non-Microsoft applications, also see their documentation regardi
 - [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)
 
  > [!TIP]
-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)
+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)

defender-endpoint/microsoft-defender-offline.md

@@ -128,7 +128,7 @@ Starting with Windows 10, version 1607 or newer, and Windows 11, Microsoft Defen
 > [!NOTE]
 > In Windows 10, version 1607, the offline scan can be run from **Windows Settings > Update & security > Windows Defender** or from the Windows Defender client.
 
-1. On your Windows device, open the Windows Security app, and then **Scan options**.
+1. On your Windows device, open the **Windows Security** app. Select **Virus & threat protection**, and then choose **Scan options**.
 
 2. Select the radio button **Microsoft Defender Offline scan** and select **Scan now**.
 

defender-endpoint/respond-machine-alerts.md

@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: painbar
 author: paulinbar
 ms.localizationpriority: medium
-ms.date: 11/05/2025
+ms.date: 11/11/2025
 manager: bagol
 audience: ITPro
 ms.collection:
@@ -363,7 +363,9 @@ When an identity in your network might be compromised, you must prevent that ide
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
 
 > [!IMPORTANT]
-> Once a **Contain user** action is enforced on a domain controller, it starts a GPO update on the Default Domain Controller policy. A change of a GPO starts a sync across the domain controllers in your environment.  This is expected behavior, and if you monitor your environment for AD GPO changes, you may be notified of such changes. Undoing the **Contain user** action reverts the GPO changes to their previous state, which will then start another AD GPO synchronization in your environment. Learn more about [merging of security policies on domain controllers](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj966251(v=ws.11)#merging-of-security-policies-on-domain-controllers).
+> As part of the active protection provided by Microsoft Defender for Endpoint, a distributed mechanism can apply LSA Policy to prevent compromised users from accessing machines in your organization. Currently, when this policy is applied on domain controllers, it may cause Group Policy synchronization activity across domain controllers.
+>
+> We are gradually rolling out a new solution by integrating with new OS APIs. This deployment will be phased and thoroughly tested to ensure stability and security. During this rollout, LSA Policy enforcement on your servers will be temporarily removed to prevent potential GPO sync. This change will remain in effect until the rollout is complete.
 
 ### How to contain a user