Merge branch 'main' into poliveria-dex-mdc-ga-07072025

Author: poliveria

.openpublishing.redirection.defender-office-365.json

@@ -59,6 +59,11 @@
       "source_path": "defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md",
       "redirect_url": "/defender-office-365/submissions-outlook-report-messages",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/tenant-wide-setup-for-increased-security.md",
+      "redirect_url": "/security/zero-trust/zero-trust-identity-device-access-policies-overview",
+      "redirect_document_id": false
     }
   ]
 }

ATPDocs/deploy/deploy-defender-identity.md

@@ -23,10 +23,10 @@ Identify your architecture and your requirements, and then use the table below t
 |Server configuration   |Server Operating System  |Recommended deployment |
 |---------|---------|---------|---------|
 |Domain controller     | Windows Server 2019 or later with the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
-|Domain controller      |Windows Server 2016 or earlier         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
-|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    NA     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  NA       |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Entra Connect](active-directory-federation-services.md)|  NA    |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
+|Domain controller      |Windows Server 2016 or later         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
+|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    Windows Server 2016 or later      |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  Windows Server 2016 or later        |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Entra Connect](active-directory-federation-services.md)|  Windows Server 2016 or later     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
 
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.

ATPDocs/whats-new.md

@@ -25,7 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
-**Suspected Brute Force attack (Kerberos, NTLM):** Improved detection logic now includes scenarios where accounts were locked during the attacks - note that the number of triggered alerts may increase.
+**Suspected Brute Force attack (Kerberos, NTLM):** Improved detection logic now includes scenarios where accounts were locked during the attacks. As a result, the number of triggered alerts might increase.
 
 ## July 2025
 
@@ -37,17 +37,17 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
 
 ### New security posture assessments for unmonitored identity servers
 
-Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
+Microsoft Defender for Identity three new security posture assessments detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
 
 Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
 
-For more details, see:
+For more information, see:
 
 [Security Assessment: Unmonitored ADCS servers](unmonitored-active-directory-certificate-services-server.md)
 
 [Security Assessment: Unmonitored ADFS servers](unmonitored-active-directory-federation-services-servers.md)
 
-[Security Assessment: Unmonitored Entra Connect servers](unmonitored-entra-connect-servers.md)
+[Security Assessment: Unmonitored Microsoft Entra Connect servers](unmonitored-entra-connect-servers.md)
 
 
 
@@ -65,7 +65,7 @@ Scoping by Active Directory domains helps:
 
 - Support operational boundaries: Align access for SOC analysts, identity administrators, and regional teams.
 
-For more information see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
+For more information, see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
 
 
 ### Okta integration is now available in Microsoft Defender for Identity
@@ -106,7 +106,7 @@ Defender for Identity now supports deploying its new sensor on Domain Controller
 The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify noneligible servers and take action to update and onboard them for enhanced identity protection.
 
 
-### Local administrators collection (using SAM-R queries) feature will be disabled
+### Local administrators collection (using SAM-R queries) feature is disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change occurs automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue
@@ -152,7 +152,7 @@ For more information, see: [Investigate and protect Service Accounts | Microsoft
 
 ### Enhanced Identity Inventory
 
-The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  
+The Identities page under *Assets* was updated to provide better visibility and management of identities across your environment.  
 The updated Identities Inventory page now includes the following tabs:
 
 - Identities: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information. 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -406,8 +406,8 @@ This rule blocks executable files, such as .exe, .dll, or .scr, from launching.
 
 > [!IMPORTANT]
 > You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
-> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and isn't specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
-> You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+> This rule uses cloud-delivered protection to update its trusted list regularly.
+> You can specify individual files or folders by using folder paths or fully qualified resource names. It also supports the **ASROnlyPerRuleExclusions** setting.
 
 Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
 

defender-endpoint/mac-whatsnew.md

@@ -70,12 +70,24 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Jul-2025 (Build: 101.25062.0005  | Release version: 20.125062.5.0)
+
+| Build:             | **101.25062.0005**   |
+|--------------------|----------------------|
+| Release version:   | **20.125062.5.0**    |
+| Engine version:    | **1.1.25040.3000**   |
+| Signature version: | **1.427.248.0**      |
+
+##### What's new
+
+- Bug and performance fixes
+
 ### Jun-2025 (Build: 101.25052.0012  | Release version: 20.125052.12.0)
 
-| Build:             | **101.25052.0012**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125052.12.0** |
-| Engine version:    | **1.1.25060.3000**       |
+| Build:             | **101.25052.0012**   |
+|--------------------|----------------------|
+| Release version:   | **20.125052.12.0**   |
+| Engine version:    | **1.1.25060.3000**   |
 | Signature version: | **1.431.226.0**      |
 
 ##### What's new
@@ -84,10 +96,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### May-2025 (Build: 101.25042.0009  | Release version: 20.125042.9.0)
 
-| Build:             | **101.25042.0009**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125042.9.0** |
-| Engine version:    | **1.1.25040.3000**       |
+| Build:             | **101.25042.0009**   |
+|--------------------|----------------------|
+| Release version:   | **20.125042.9.0**    |
+| Engine version:    | **1.1.25040.3000**   |
 | Signature version: | **1.429.521.0**      |
 
 ##### What's new
@@ -97,10 +109,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### Apr-2025 (Build: 101.25032.0006  | Release version: 20.125032.6.0)
 
-| Build:             | **101.25032.0006**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125032.6.0** |
-| Engine version:    | **1.1.25020.3000**       |
+| Build:             | **101.25032.0006**   |
+|--------------------|----------------------|
+| Release version:   | **20.125032.6.0**    |
+| Engine version:    | **1.1.25020.3000**   |
 | Signature version: | **1.427.158.0**      |
 
 ##### What's new

defender-endpoint/microsoft-defender-core-service-overview.md

@@ -33,37 +33,50 @@ To enhance your endpoint security experience, Microsoft is releasing the Microso
    - Mid April 2024 to Enterprise customers running Windows clients.
    - Beginning of July 2024 to U.S. Government customers running Windows clients.
 
-   - Mid January 2025 to Enterprise customers running Windows Server.
+      The Microsoft Defender Core service for Windows Server is releasing with [Microsoft Defender Antivirus platform version 4.18.25050.5.](/defender-endpoint/microsoft-defender-antivirus-updates)
 
-3. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
+   - Mid July 2025 to Enterprise customers running Windows Server 2019 or later.
+      
+   - Mid September 2025 to Enterprise customers running the [unified Microsoft Defender for Endpoint client](/defender-endpoint/update-agent-mma-windows) for Windows Server 2012 R2 or Windows Server 2016.
+      
+1. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
 
-4. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience:
+1. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience:
 
    Enterprise customers should allow the following URLs:
 
    - `*.endpoint.security.microsoft.com`
+      
    - `ecs.office.com/config/v1/MicrosoftWindowsDefenderClient`
+      
    - `*.events.data.microsoft.com`
 
    If you don't want to use the wildcards for `*.events.data.microsoft.com`, you can use:
 
    - `us-mobile.events.data.microsoft.com/OneCollector/1.0`   
    - `eu-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `uk-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `au-mobile.events.data.microsoft.com/OneCollector/1.0`
+      
    - `mobile.events.data.microsoft.com/OneCollector/1.0`
-   
+      
    Enterprise U.S. Government customers should allow the following URLs:
 
    - `*.events.data.microsoft.com`
+      
    - `*.endpoint.security.microsoft.us (GCC-H & DoD)`
+      
    - `*.gccmod.ecs.office.com (GCC-M)`
+      
    - `*.config.ecs.gov.teams.microsoft.us (GCC-H)`
+      
    - `*.config.ecs.dod.teams.microsoft.us (DoD)`
 
-5. If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist. 
+1. If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist. 
 
-6. Consumers don't need to take any actions to prepare.
+1. Consumers don't need to take any actions to prepare.
 
 ## Microsoft Defender Antivirus processes and services
 
@@ -191,7 +204,8 @@ On the script page of the Run Script wizard, choose your script from the list (M
 #### Use the Registry to update the policies for Microsoft Defender Core service.
 
 1. Select **Start**, and then open Regedit.exe as an administrator.
-2. Go to `HKLM\Software\Policies\Microsoft\Windows Defender\Features`
+1. Go to `HKLM\Software\Policies\Microsoft\Windows Defender\Features`
+
 3. Set the values:
 
    `DisableCoreService1DSTelemetry` (dword) 0 (hex)