Merge branch 'main' into WI336647-add-prerequisites-govern-discovered-apps

Author: DeCohen

.acrolinx-config.edn

@@ -1,6 +1,6 @@
 {:changed-files-limit 60
  :allowed-branchname-matches ["main" "release-.*"]
- :allowed-filename-matches ["ATADocs/" "ATPDocs/" "CloudAppSecurityDocs/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/" "exposure-management/" "unified-secops-platform/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
+ :allowed-filename-matches ["advanced-threat-analytics/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud-apps/" "defender-for-cloud/" "defender-for-identity/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/" "exposure-management/" "unified-secops-platform/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
 
 :use-gh-statuses true
 

.openpublishing.redirection.defender-cloud-apps.json

@@ -1015,5 +1015,10 @@
       "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-for-cloud-apps/cloud-discovery-anomaly-detection-policy.md",
+      "redirect_url": "/defender-cloud-apps/cloud-discovery-policies",
+      "redirect_document_id": false
+    }
   ]
 }

.openpublishing.redirection.defender-identity.json

@@ -859,6 +859,11 @@
       "source_path": "defender-for-identity/manage-security-alerts.md",
       "redirect_url": "/defender-for-identity/understanding-security-alerts",
       "redirect_document_id": false
-    },  
+    },
+    {
+      "source_path": "defender-for-identity/automated-response-exclusions.md",
+      "redirect_url": "/defender-xdr/automatic-attack-disruption-exclusions",
+      "redirect_document_id": false
+    }
   ]
 }

defender-business/mdb-faq.yml

@@ -163,9 +163,9 @@ sections:
 
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |
-          Microsoft Defender for Business does not support mixed licensing, so a tenant with Defender for Business (which is included in Microsoft 365 Business Premium) along with Defender for Endpoint Plan 2 (which is included in Microsoft 365 E5 Security) defaults to the Defender for Business experience. 
+          Microsoft Defender for Business does not support mixed licensing, so a tenant with Defender for Business (which is included in Microsoft 365 Business Premium) along with Defender for Endpoint Plan 2 (which is included in the Microsoft Defender Suite) defaults to the Defender for Business experience. 
 
-          For example, if you have 80 users licensed for Defender for Business (as part of a Microsoft 365 Business Premium subscription), and you add Microsoft 365 E5 Security for 30 of those users, the experience for all users defaults to Defender for Business. If you want to change that to the Defender for Endpoint Plan 2 experience, you should license all users for Defender for Endpoint Plan 2 (either through the standalone version of Defender for Endpoint Plan 2 or Microsoft 365 E5 Security), and then contact Microsoft Support to request the switch for your tenant.
+          For example, if you have 80 users licensed for Defender for Business (as part of a Microsoft 365 Business Premium subscription), and you add the Microsoft Defender Suite for 30 of those users, the experience for all users defaults to Defender for Business. If you want to change that to the Defender for Endpoint Plan 2 experience, you should license all users for Defender for Endpoint Plan 2 (either through the standalone version of Defender for Endpoint Plan 2 or the Microsoft Defender Suite), and then contact Microsoft Support to request the switch for your tenant.
                     
           For more information, see [Manage your subscription settings](mdb-manage-subscription.md).
 

defender-business/mdb-manage-subscription.md

@@ -22,7 +22,7 @@ ms.collection:
 
 [Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. 
 
-As your organization grows, you might be thinking about changing from Defender for Business to Defender for Endpoint. For example, if you have Defender for Business as part of a [Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-overview) subscription, and you add Microsoft 365 E5 Security to your subscription, you now have Defender for Endpoint Plan 2 capabilities while retaining the Defender for Business experience. 
+As your organization grows, you might be thinking about changing from Defender for Business to Defender for Endpoint. For example, if you have Defender for Business as part of a [Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-overview) subscription, and you add the Microsoft Defender Suite to your subscription, you now have Defender for Endpoint Plan 2 capabilities while retaining the Defender for Business experience. 
 
 This article describes how to view your current license state and, if needed, change your experience from Defender for Business to Defender for Endpoint.
 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -7,7 +7,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: paulinbar
 ms.author: painbar
-ms.reviewer: sugamar, yongrhee
+ms.reviewer: sugamar, ericlaw
 manager: bagol
 ms.custom: asr
 ms.topic: reference
@@ -462,7 +462,7 @@ Dependencies: Microsoft Defender Antivirus, AMSI
 
 ### Block Office applications from creating executable content
 
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule also blocks execution of untrusted files that might have been saved by Office macros that are allowed to run in Office files.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from being used as a vector to persist malicious code on disk. Malware that abuses Office as a vector might attempt to save malicious components to disk that would survive a computer reboot and persist on the system. This rule defends against this persistence technique by blocking access (open/execute) to the code written to disk. This rule also blocks execution of untrusted files that might have been saved by Office macros that are allowed to run in Office files.
 
 Intune name: `Office apps/macros creating executable content`
 
@@ -579,10 +579,7 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block rebooting machine in Safe Mode
 
-> [!NOTE]
-> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
-
-This rule prevents the execution of commands to restart machines in Safe Mode. Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
+This rule prevents the execution of certain commands to restart machines in Safe Mode. In Windows' Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such abuse of Safe Mode by preventing commonly abused commands like `bcdedit` and `bootcfg` from restarting machines in Safe Mode. Safe Mode is still accessible manually from the Windows Recovery Environment.
 
 Intune Name: ` Block rebooting machine in Safe Mode`
 
@@ -598,6 +595,9 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+> [!NOTE]
+> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
+
 ### Block untrusted and unsigned processes that run from USB
 
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
@@ -620,9 +620,6 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block use of copied or impersonated system tools
 
-> [!NOTE]
-> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
-
 This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines. 
 
 Intune Name: `Block use of copied or impersonated system tools`
@@ -641,6 +638,9 @@ Advanced hunting action type:
 
 Dependencies: Microsoft Defender Antivirus
 
+> [!NOTE]
+> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
+
 ### Block Webshell creation for Servers
 
 This rule blocks web shell script creation on Microsoft Server, Exchange Role. A web shell script is a crafted script that allows an attacker to control the compromised server. 
@@ -654,7 +654,7 @@ GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
 Dependencies: Microsoft Defender Antivirus
 
 > [!NOTE]
-> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Exchange servers.
+> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
 
 ### Block Win32 API calls from Office macros
 

defender-endpoint/data-storage-privacy.md

@@ -16,7 +16,7 @@ ms.collection:
 - essentials-compliance
 ms.topic: concept-article
 search.appverid: met150
-ms.date: 05/12/2025
+ms.date: 09/03/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -43,7 +43,7 @@ Information collected includes file data (file names, sizes, and hashes), proces
 
 Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and  [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
 
-This data enables Defender for Endpoint to:
+This data lets Defender for Endpoint:
 
 - Proactively identify indicators of attack (IOAs) in your organization
 - Generate alerts if a possible attack was detected
@@ -53,20 +53,26 @@ Microsoft doesn't use your data for advertising.
 
 ## Data location
 
-Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, or India. Customer data collected by the service might be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
+Defender for Endpoint operates in the Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, Switzerland, India, or the United Arab Emirates (UAE). Customer data collected by the service might be stored in: (a) the geolocation of the tenant as identified during provisioning or, (b) the geolocation as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data. For more information, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).
 
-(a) the geo-location of the tenant as identified during provisioning; or
+(a) the geolocation of the tenant as identified during provisioning; or
 
-(b) the geo-location as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data.
+(b) the geolocation as defined by the data storage rules of an online service if this online service is used by Defender for Endpoint to process such data.
 
-## Data Retention
+## Data retention
 
 Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. 
 
 Your data is kept and is available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft's systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
 
 In the advanced hunting investigation experience, it's accessible via a query for 30 days.
 
+## Data recovery
+
+The Microsoft Defender for Endpoint (MDE) service incorporates a regional disaster recovery strategy aligned with Microsoft's broader resiliency framework. For more information, see [Resiliency and continuity - Microsoft Service Assurance | Microsoft Learn](/compliance/assurance/assurance-resiliency-and-continuity). In the event of a service disruption, all MDE components are designed to fail over to a paired region within the same geographic boundary, thereby maintaining data residency requirements.
+
+However, due to current service limitations in the United Arab Emirates, MDE components that depend on Azure Synapse workloads are supported with zonal resiliency only. At this time, for the workloads, there is no cross-region business continuity and disaster recovery (BCDR) capability available. For more information on Synapse’s disaster recovery capabilities, refer to the official documentation.
+
 ## Data sharing for Microsoft Defender for Endpoint
 
 Microsoft Defender for Endpoint shares data, including customer data, among the following Microsoft products, also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.

defender-endpoint/mde-linux-prerequisites.md

@@ -178,20 +178,15 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`.
 
 > [!NOTE]
+> For versions 101.25042.0003 and later, no external dependencies are required, whereas versions older than 101.25032.0000 require additional packages:
+> - RPM-based distributions: `mde-netfilter`, `pcre`, `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
+> - DEBIAN-based distributions: `mde-netfilter`, `libpcre3`, `libnetfilter-queue1`, `libglib2.0-0`
 > Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
 > If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or older, the following additional dependency on the auditd package exists for mdatp:
 > - The mdatp RPM package requires `audit`, `semanage`.
 > - For DEBIAN, the mdatp package requires `auditd`.
 > - For Mariner, the mdatp package requires `audit`.
-> 
-> For versions older than `101.25032.0000`, the following requirements apply:
-> - RPM package needs: `mde-netfilter` and `pcre`
-> - DEBIAN package needs: `mde-netfilter` and `libpcre3`
->
-> Beginning with version `101.25042.0003`, uuid-runtime is no longer required as an external-dependency.
-> The `mde-netfilter` package also has the following package dependencies:
-> - For DEBIAN, the `mde-netfilter` package requires `libnetfilter-queue1` and `libglib2.0-0`
-> - For RPM, the `mde-netfilter` package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
+
 
 ## Installation instructions 
 

defender-endpoint/microsoft-defender-endpoint-mac-prerequisites.md

@@ -48,10 +48,10 @@ This article lists the prerequisites for installing and configuring Microsoft De
 ### System requirements
 
 These three most recent major releases of macOS are supported.
+- 26 (Tahoe)
+
 - 15.0.1 (Sequoia)
 - 14 (Sonoma)
-- 13 (Ventura)
-
 > [!NOTE]
 > Beta versions of macOS aren't supported, but new releases of macOS are supported from day 1.
 
@@ -82,7 +82,7 @@ You can also configure Defender for Endpoint on macOS locally
 Microsoft Defender for Endpoint on macOS requires one of the following Microsoft Volume Licensing offers:
 
 - Microsoft 365 E5
-- Microsoft 365 E5 Security
+- Microsoft Defender Suite
 - Microsoft 365 A5
 - Windows 10 Enterprise E5
 - Microsoft 365 Business Premium

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -89,7 +89,7 @@ After you've enabled the service, you might need to configure your network or fi
 Defender for Endpoint on Mac requires one of the following Microsoft Volume Licensing offers:
 
 - Microsoft 365 E5
-- Microsoft 365 E5 Security
+- Microsoft Defender Suite
 - Microsoft 365 A5
 - Windows 10 Enterprise E5
 - Microsoft 365 Business Premium