Merge branch 'main' into patch-6

Author: EdgarPMIA

defender-business/mdb-get-started.md

@@ -19,6 +19,7 @@ ms.collection:
 - tier1
 - essentials-get-started
 ms.custom: intro-get-started
+#customer intent: As a Defender for Business admin, I need quick guidance to navigate the Microsoft Defender portal and find first steps so I can get started securing devices and email.
 ---
 
 # Visit the Microsoft Defender portal

defender-endpoint/TOC.yml

@@ -126,15 +126,13 @@
             - name: Step 2 - Configure device proxy and Internet settings
               href: configure-proxy-internet.md
             - name: Step 3 - Verify client connectivity to service URLs
-              href: verify-connectivity.md
-            
-        - name: Streamlined connectivity
-          items:
-            - name: Onboarding devices using streamlined method
-              href: configure-device-connectivity.md
-            - name: Migrating devices to streamlined method
+              href: verify-connectivity.md        
+            - name: Onboard devices using streamlined method
+              href: configure-device-connectivity.md            
+            - name: Migrate devices to streamlined method
               href: migrate-devices-streamlined.md
-
+            - name: Enable access to service URLs - US government            
+              href: streamlined-device-connectivity-urls-gov.md                       
         - name: Onboard client devices
           items:
           - name: Onboard client devices running Windows or macOS
@@ -285,6 +283,8 @@
                 href: linux-deploy-defender-for-endpoint-using-golden-images.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+              - name: Deployment guidance for Defender for Endpoint on Linux for SAP
+                href: mde-linux-deployment-on-sap.md
           - name: Configure Defender for Endpoint on Linux
             items:
             - name: Configure security policies and settings

defender-endpoint/aggregated-reporting.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.topic: article
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 10/20/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 ---
@@ -33,13 +33,16 @@ When aggregated reporting is turned on, you can query for a summary of all suppo
 
 The following requirements must be met before turning on aggregated reporting:
 
-- Defender for Endpoint Plan 2 license
 - Permissions to enable advanced features
 
-Aggregated reporting supports the following:
 
-- Client version: Windows version 24H and later
-- Operating systems: Windows 11 (22H2, Enterprise), Windows 10 (20H2, 21H1, 21H2), Windows Server 2019 and later, Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+### Supported operating systems: 
+
+  - Windows 10 (20H2, 21H1, 21H2)
+  - Windows 11 (22H2, Enterprise)
+  - Windows Server 2019 and later
+  - Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+  - Client version: Windows version 24H and later
 
 ## Turn on aggregated reporting
 
@@ -77,9 +80,9 @@ To query new data with aggregated reports:
 3. When necessary, create new custom rules to incorporate new action types.
 4. Go to the **Advanced Hunting** page and query the new data.
 
-Here is an example of advanced hunting query results with aggregated reports.
+   Here is an example of advanced hunting query results with aggregated reports.
 
-:::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
+   :::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
 
 ## Sample advanced hunting queries
 
@@ -125,4 +128,4 @@ DeviceNetworkEvents
 | where uniqueEventsAggregated > 10
 | project-reorder ActionType, Timestamp, uniqueEventsAggregated 
 | sort by uniqueEventsAggregated desc
-```
+```

defender-endpoint/amsi-on-mdav.md

@@ -5,7 +5,7 @@ author: batamig
 ms.author: bagol
 manager: bagol
 ms.reviewer: yongrhee
-ms.date: 12/05/2024
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -29,11 +29,6 @@ ai-usage: ai-assisted
 # Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
 
 
-**Platforms**:
-
-- Windows 10 and newer
-- Windows Server 2016 and newer
-
 Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.
 
 ## What is fileless malware?
@@ -67,9 +62,12 @@ Microsoft Defender Antivirus blocks most malware using generic, heuristic, and b
    - Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
    - Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
 
-## Why AMSI?
+## Prerequisites 
 
-AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.
+### Supported operating systems
+
+- Windows 10 and later
+- Windows Server 2016 and later
 
 ### Supported Scripting Languages
 
@@ -84,6 +82,11 @@ If you use Microsoft 365 Apps, AMSI also supports JavaScript, VBA, and XLM.
 
 AMSI doesn't currently support Python or Perl.
 
+## Why AMSI?
+
+AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.
+
+
 ### Enabling AMSI
 
 To enable AMSI, you need to enable script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md).

defender-endpoint/android-configure.md

@@ -2,8 +2,8 @@
 title: Configure Microsoft Defender for Endpoint on Android features
 description: Describes how to configure Microsoft Defender for Endpoint on Android
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: denishdonga
 ms.localizationpriority: medium
 manager: bagol
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: android
 search.appverid: met150
-ms.date: 06/05/2025
+ms.date: 10/23/2025
 appliesto:
    - Microsoft Defender for Endpoint Plan 1
    - Microsoft Defender for Endpoint Plan 2
@@ -130,14 +130,12 @@ Following privacy controls are available for configuring the data that is sent b
 
 ## Root Detection (Preview)
 
-Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are rooted. These root detection checks are done periodically. If a device is detected as rooted, these events occur:
+Microsoft Defender for Endpoint has the ability to detect unmanaged and managed devices that are rooted. These root detection checks are done periodically. If a device is detected as rooted, the following events occur:
 
-- A high-risk alert is reported to the Microsoft Defender portal. If device Compliance and Conditional Access are set up based on device risk score, then the device is blocked from accessing corporate data.
+- A high-risk alert is reported to the Microsoft Defender portal. If Device Compliance and Conditional Access are set up based on device risk score, then the device is blocked from accessing corporate data.
 
-- User data on app is cleared. When user opens the app after rooted.
+- User data on the app is cleared after the device has been detected as rooted. The feature is enabled by default; no action is required from admin or user.
 
-  The feature is enabled by default; no action is required from admin or user. Any android device running Defender version **1.0.8125.0302** (or later) will have it activated.
-  
 **Prerequisite**
 
 - Company portal must be installed, and version must be >=5.0.6621.0

defender-endpoint/api/get-live-response-result.md

@@ -17,59 +17,57 @@ ms.collection:
 ms.topic: reference
 ms.subservice: reference
 ms.custom: api
-ms.date: 06/03/2021
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
-
 ---
+
 # Get live response results
 
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-## API description
-
-Retrieves a specific live response command result by its index.
-
-## Limitations
-
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per
-    hour.
-
-## Minimum requirements
+## Prerequisites
 
-Before you can initiate a session on a device, make sure you fulfill the following requirements:
+Devices must be running one of the following versions of Windows: 
 
-- **Verify that you're running a supported version of Windows**.
+### Supported operating systems
 
-  Devices must be running one of the following versions of Windows
-
-  - **Windows 11**
+  - Windows 11
 
-  - **Windows 10**
+  - Windows 10
     - [Version 1909](/windows/whats-new/whats-new-windows-10-version-1909) or later
     - [Version 1903](/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
     - [Version 1809 (RS 5)](/windows/whats-new/whats-new-windows-10-version-1809) with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
     - [Version 1803 (RS 4)](/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
     - [Version 1709 (RS 3)](/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
 
-  - **Windows Server 2019 - Only applicable for Public preview**
+  - Windows Server 2019 - Only applicable for Public preview
     - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later
     - Version 1809 (with [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818))
-    
-  - **Windows Server 2022**  
 
-  - **Windows Server 2025**
-  - **Azure Stack HCI OS, version 23H2 and later**
+  - Windows Server 2022 and later
+
+  - Azure Stack HCI OS, version 23H2 and later
+
+## API description
+
+Retrieves a specific live response command result by its index.
+
+## Limitations
+
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per
+    hour.
+
+
 
 ## Permissions
 

defender-endpoint/api/initiate-autoir-investigation.md

@@ -15,19 +15,17 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 03/01/2025
+ms.date: 10/20/2025
 appliesto:
   - Microsoft Defender for Endpoint
   - Microsoft Defender for Business
-
 ---
+
 # Start Investigation API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -42,11 +40,11 @@ See [Overview of automated investigations](../automated-investigations.md) for m
 
 1. Rate limitations for this API are 50 calls per hour.
 
-## Requirements for AIR
+## Prerequisites
 
-Your organization must have Defender for Endpoint see: [Minimum requirements for Microsoft Defender for Endpoint](../minimum-requirements.md).
+Your organization must have Defender for Endpoint, see [Minimum requirements for Microsoft Defender for Endpoint](../minimum-requirements.md).
 
-Currently, AIR only supports the following OS versions:
+### Supported operating systems
 
 - Windows 11
 - Windows 10, version [1803](/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
@@ -67,8 +65,8 @@ Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
 > [!NOTE]
 > When obtaining a token using user credentials:
 >
-> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](../user-roles.md) for more information)
-> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](../user-roles.md) for more information).
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information).
 >
 > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. 
 

defender-endpoint/api/post-ti-indicator.md

@@ -25,10 +25,6 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
-
-
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -71,20 +67,20 @@ Content-Type|string|application/json. **Required**.
 
 In the request body, supply a JSON object with the following parameters:
 
-Parameter|Type|Description
-:---|:---|:---
-indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**
-indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required**
-action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`.
-application|String|The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. **Optional**
-title|String|Indicator alert title. **Required**
-description|String|Description of the indicator. **Required**
-expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**
-severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional**
-recommendedActions|String|TI indicator alert recommended actions. **Optional**
-rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**
-generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert.
+|Parameter|Type|Description|
+|:---|:---|:---|
+|indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**|
+|indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required**|
+|action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`.|
+|application|String|A user-friendly name for the content blocked by the indicator. If specified, this text will be shown in the blocking notification in place of the blocked filename or domain. This field only works for new indicators; it doesn't update the value on an existing indicator. **Optional**|
+|title|String|Indicator alert title. **Required**|
+|description|String|Description of the indicator. **Required**|
+|expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**|
+|severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional**|
+|recommendedActions|String|TI indicator alert recommended actions. **Optional**|
+|rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**|
+|educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**|
+|generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert.|
 ## Response
 
 - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body.