Merge branch 'main' into patch-38

Author: MithunRathinam

defender-endpoint/TOC.yml

@@ -285,6 +285,8 @@
                 href: linux-deploy-defender-for-endpoint-using-golden-images.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+              - name: Deployment guidance for Defender for Endpoint on Linux for SAP
+                href: mde-linux-deployment-on-sap.md
           - name: Configure Defender for Endpoint on Linux
             items:
             - name: Configure security policies and settings

defender-endpoint/aggregated-reporting.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.topic: article
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 10/20/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 ---
@@ -33,13 +33,16 @@ When aggregated reporting is turned on, you can query for a summary of all suppo
 
 The following requirements must be met before turning on aggregated reporting:
 
-- Defender for Endpoint Plan 2 license
 - Permissions to enable advanced features
 
-Aggregated reporting supports the following:
 
-- Client version: Windows version 24H and later
-- Operating systems: Windows 11 (22H2, Enterprise), Windows 10 (20H2, 21H1, 21H2), Windows Server 2019 and later, Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+### Supported operating systems: 
+
+  - Windows 10 (20H2, 21H1, 21H2)
+  - Windows 11 (22H2, Enterprise)
+  - Windows Server 2019 and later
+  - Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+  - Client version: Windows version 24H and later
 
 ## Turn on aggregated reporting
 
@@ -77,9 +80,9 @@ To query new data with aggregated reports:
 3. When necessary, create new custom rules to incorporate new action types.
 4. Go to the **Advanced Hunting** page and query the new data.
 
-Here is an example of advanced hunting query results with aggregated reports.
+   Here is an example of advanced hunting query results with aggregated reports.
 
-:::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
+   :::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
 
 ## Sample advanced hunting queries
 
@@ -125,4 +128,4 @@ DeviceNetworkEvents
 | where uniqueEventsAggregated > 10
 | project-reorder ActionType, Timestamp, uniqueEventsAggregated 
 | sort by uniqueEventsAggregated desc
-```
+```

defender-endpoint/amsi-on-mdav.md

@@ -5,7 +5,7 @@ author: batamig
 ms.author: bagol
 manager: bagol
 ms.reviewer: yongrhee
-ms.date: 12/05/2024
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -29,11 +29,6 @@ ai-usage: ai-assisted
 # Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
 
 
-**Platforms**:
-
-- Windows 10 and newer
-- Windows Server 2016 and newer
-
 Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.
 
 ## What is fileless malware?
@@ -67,9 +62,12 @@ Microsoft Defender Antivirus blocks most malware using generic, heuristic, and b
    - Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
    - Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
 
-## Why AMSI?
+## Prerequisites 
 
-AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.
+### Supported operating systems
+
+- Windows 10 and later
+- Windows Server 2016 and later
 
 ### Supported Scripting Languages
 
@@ -84,6 +82,11 @@ If you use Microsoft 365 Apps, AMSI also supports JavaScript, VBA, and XLM.
 
 AMSI doesn't currently support Python or Perl.
 
+## Why AMSI?
+
+AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.
+
+
 ### Enabling AMSI
 
 To enable AMSI, you need to enable script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md).

defender-endpoint/api/get-live-response-result.md

@@ -17,59 +17,57 @@ ms.collection:
 ms.topic: reference
 ms.subservice: reference
 ms.custom: api
-ms.date: 06/03/2021
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
-
 ---
+
 # Get live response results
 
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-## API description
-
-Retrieves a specific live response command result by its index.
-
-## Limitations
-
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per
-    hour.
-
-## Minimum requirements
+## Prerequisites
 
-Before you can initiate a session on a device, make sure you fulfill the following requirements:
+Devices must be running one of the following versions of Windows: 
 
-- **Verify that you're running a supported version of Windows**.
+### Supported operating systems
 
-  Devices must be running one of the following versions of Windows
-
-  - **Windows 11**
+  - Windows 11
 
-  - **Windows 10**
+  - Windows 10
     - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
     - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
     - [Version 1809 (RS 5)](/windows/whats-new/whats-new-windows-10-version-1809) with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
     - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
     - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
 
-  - **Windows Server 2019 - Only applicable for Public preview**
+  - Windows Server 2019 - Only applicable for Public preview
     - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later
     - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
-    
-  - **Windows Server 2022**  
 
-  - **Windows Server 2025**
-  - **Azure Stack HCI OS, version 23H2 and later**
+  - Windows Server 2022 and later
+
+  - Azure Stack HCI OS, version 23H2 and later
+
+## API description
+
+Retrieves a specific live response command result by its index.
+
+## Limitations
+
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per
+    hour.
+
+
 
 ## Permissions
 

defender-endpoint/api/initiate-autoir-investigation.md

@@ -15,19 +15,17 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 03/01/2025
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint
   - Microsoft Defender for Business
-
 ---
+
 # Start Investigation API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -42,11 +40,11 @@ See [Overview of automated investigations](../automated-investigations.md) for m
 
 1. Rate limitations for this API are 50 calls per hour.
 
-## Requirements for AIR
+## Prerequisites
 
-Your organization must have Defender for Endpoint see: [Minimum requirements for Microsoft Defender for Endpoint](../minimum-requirements.md).
+Your organization must have Defender for Endpoint, see [Minimum requirements for Microsoft Defender for Endpoint](../minimum-requirements.md).
 
-Currently, AIR only supports the following OS versions:
+### Supported operating systems
 
 - Windows 11
 - Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
@@ -67,8 +65,8 @@ Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
 > [!NOTE]
 > When obtaining a token using user credentials:
 >
-> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](../user-roles.md) for more information)
-> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](../user-roles.md) for more information).
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information).
 >
 > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. 
 

defender-endpoint/api/run-live-response.md

@@ -17,25 +17,55 @@ ms.collection:
 ms.topic: reference
 ms.subservice: reference
 ms.custom: api
-ms.date: 04/18/2023
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 2
-
 ---
-# Run live response commands on a device
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
+# Run live response commands on a device
 
 
+[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
 
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
+
+## Prerequisites
+
+Before you can initiate a session on a device, make sure you fulfill the following requirements:
+
+### Supported operating systems
+
+  - Windows 11
+  
+  - Windows 10
+    - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
+    - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
+    - [Version 1809 (RS 5)](/windows/whats-new/whats-new-windows-10-version-1809) with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
+    - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
+    - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
+
+  - Windows Server 2019 - Only applicable for Public preview
+    - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later
+    - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
+    
+- Windows Server 2022 and later
+
+- Azure Stack HCI OS, version 23H2 and later
+
+- macOS [(requires other configuration profiles)](../microsoft-defender-endpoint-mac.md)
+      - 13 (Ventura)
+      - 12 (Monterey)
+      - 11 (Big Sur)
+
+- Linux servers
+      - [Supported Linux distributions](../mde-linux-prerequisites.md#supported-linux-distributions)
+
 ## API description
 
 Runs a sequence of live response commands on a device
@@ -60,42 +90,10 @@ Runs a sequence of live response commands on a device
 
 8. Multiple live response sessions can't be executed on the same machine (if live response action is already running, subsequent requests are responded to with HTTP 400 - ActiveRequestAlreadyExists).
 
-> [!NOTE]
-> Live response actions initiated from the Device page aren't available in the `machineactions` API.
-
-## Minimum Requirements
-
-Before you can initiate a session on a device, make sure you fulfill the following requirements:
-
-- **Verify that you're running a supported Windows, macOS, or Linux version**.
-
-  Devices must be running one of the following:
-
-  - **Windows 11**
-  
-  - **Windows 10**
-    - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
-    - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
-    - [Version 1809 (RS 5)](/windows/whats-new/whats-new-windows-10-version-1809) with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
-    - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
-    - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
-
-  - **Windows Server 2019 - Only applicable for Public preview**
-    - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later
-    - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
-    
-  - **Windows Server 2022**
-
-- **Windows Server 2025**
-- **Azure Stack HCI OS, version 23H2 and later**
+    > [!NOTE]
+    > Live response actions initiated from the Device page aren't available in the `machineactions` API.
 
-  - **macOS** [(requires other configuration profiles)](../microsoft-defender-endpoint-mac.md)
-      - 13 (Ventura)
-      - 12 (Monterey)
-      - 11 (Big Sur)
 
-  - **Linux servers**
-      - [Supported Linux distributions](../mde-linux-prerequisites.md#supported-linux-distributions)
 
 ## Permissions
 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,18 +15,15 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 08/28/2025
+ms.date: 10/20/2025
 search.appverid: met150
 appliesto:
   - Microsoft Defender for Endpoint Plan 2
-
 ---
-# Attack surface reduction rules reference
 
 
-**Platforms:**
+# Attack surface reduction rules reference
 
-- Windows
 
 This article provides information about Microsoft Defender for Endpoint attack surface reduction rules (ASR rules):
 
@@ -41,6 +38,12 @@ This article provides information about Microsoft Defender for Endpoint attack s
 
 [!Include [defender-endpoint-setup-guide.md](../includes/mde-automated-setup-guide.md)]
 
+## Prerequisites
+
+### Supported operating systems
+
+- Windows
+
 ## Attack surface reduction rules by type
 
 Attack surface reduction rules are categorized as one of two types: