Merge branch 'main' into main

Author: emmwalshh

ATPDocs/deploy/activate-capabilities.md

@@ -12,7 +12,7 @@ Microsoft Defender for Endpoint customers, who have already onboarded their doma
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availability for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor.
 
 ## Prerequisites
 
@@ -29,10 +29,8 @@ Make sure that the domain controller where you're planning to activate Defender
 
 Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:
 
-- Windows Server 2019
-- Windows Server 2022
-
-You must also have the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) installed.
+- Windows Server 2019 or above
+- [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later
 
 > [!IMPORTANT]
 >After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.

ATPDocs/deploy/configure-windows-event-collection.md

@@ -328,7 +328,7 @@ To configure auditing on Microsoft Entra Connect servers:
 <a name="enable-auditing-on-an-exchange-object"></a>
 
 >[!NOTE]
-> The configuration container audit is requried only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
+> The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
 
 **Related health issue:** [Auditing on the Configuration container is not enabled as required](../health-alerts.md#auditing-on-the-configuration-container-is-not-enabled-as-required)
 
@@ -340,6 +340,8 @@ To configure auditing on Microsoft Entra Connect servers:
 
 1. Expand the **Configuration** container to show the **Configuration** node, which begins with **"CN=Configuration,DC=..."**.
 
+    :::image type="content" source="../media/cn-configuration.png" alt-text="Screenshot of selections for opening properties for the CN Configuration node.":::
+
 1. Right-click the **Configuration** node and select **Properties**.
 
     ![Screenshot of selections for opening properties for the Configuration node.](../media/configuration-properties.png)

ATPDocs/deploy/event-collection-overview.md

@@ -50,7 +50,7 @@ The following event is required for Microsoft Entra Connect servers:
 
 - 4624: An account was successfully logged on
 
-For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-for-entra-connect).
+For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-on-microsoft-entra-connect).
 
 ### Other required Windows events
 

ATPDocs/deploy/remote-calls-sam.md

@@ -34,12 +34,16 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
 
 **To configure required permissions**:
 
-1. Locate the policy. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
+1. Create a new group policy or use an existing one. 
+1. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
 
     :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
 
 1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
 
+   :::image type="content" source="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png" alt-text="Screenshot of the Network access policy settings." lightbox="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png":::
+
+
    For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
 
 ## Make sure the DSA is allowed to access computers from the network (optional)
@@ -60,6 +64,8 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
     >
     > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
 
+     :::image type="content" source="../media/define-security-policy-setting.png" alt-text="Screenshot of Security Policy Settings." lightbox="../media/define-security-policy-setting.png":::
+
 ## Configure a Device profile for Microsoft Entra hybrid joined devices only
 
 This procedure describes how to use the [Microsoft Intune admin center](https://intune.microsoft.com/) to configure the policies in a Device profile if you're working with Microsoft Entra hybrid joined devices.

ATPDocs/media/cn-configuration.png

@@ -24,6 +24,19 @@ For updates about versions and features released six months ago or earlier, see
 
 ## February 2025
 
+### DefenderForIdentity PowerShell module updates (version 1.0.0.3)
+
+New Features and Improvements:
+- Support for getting, testing, and setting the Active Directory Recycle Bin in Get/Set/Test MDIConfiguration.
+- Support for getting, testing, and setting the proxy configuration on new MDI sensor.
+- The Active Directory Certificate Services registry value for audit filtering now properly sets the type.
+- New-MDIConfigurationReport now shows the name of the tested GPO and supports Server and Identity arguments.
+
+Bug Fixes:
+- Improved reliability for DeletedObjects container permissions on non-English operating systems.
+- Fixed extraneous output for KDS root key creation.
+- Other reliability fixes.
+
 ### New attack paths tab on the Identity profile page
 
 This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview) 

ATPDocs/media/define-security-policy-setting.png

@@ -10,7 +10,7 @@ description: Get started with app governance capabilities to govern your apps in
 This article describes how to turn on Microsoft Defender for Cloud Apps app governance.
 
 > [!NOTE]
-> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments cannot connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance is not FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
+> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments can't connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance isn't FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
 ## Prerequisites
 
 Before you start, verify that you satisfy the following prerequisites:
@@ -21,15 +21,15 @@ Before you start, verify that you satisfy the following prerequisites:
 
 - You must have [one of the appropriate roles](#roles) to turn on app governance and access it.
 
-- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, South Africa, Sweden or United Arab Emirates.
+- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, South Africa, Sweden, or United Arab Emirates.
 
 ## Turn on app governance
 
 If your organization satisfies the [prerequisites](#prerequisites), go to [Microsoft Defender XDR > Settings > Cloud Apps > App governance](https://security.microsoft.com/cloudapps/settings) and select **Use app governance**. For example:
 
 :::image type="content" source="media/app-governance-get-started/app-governance-service-status2.png" alt-text="Screenshot of the App governance toggle in Microsoft Defender XDR." lightbox="media/app-governance-get-started/app-governance-service-status2.png":::
 
-After you've signed up for app governance, you'll need to wait up to 10 hours to see and use the product.
+After signing up for app governance, you'll need to wait up to 10 hours to see and use the product.
 
 If you're unable to see the app governance option in the settings page, it might be due to one or more of the following reasons:
 
@@ -76,7 +76,7 @@ For more information about each role, see [Administrator role permissions](/azur
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 > [!NOTE]
-> App governance alerts will not flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
+> App governance alerts won't flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
 
 ## Next steps
 

ATPDocs/media/restrict-clients-allowed-to-make-remote-calls-to-SAM.png

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 02/19/2025
+ms.date: 02/21/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -71,7 +71,7 @@ The following table shows the exclusion types supported by Defender for Endpoint
 |Process|A specific process (specified either by the full path or file name) and all files opened by it.<br/>*We recommend using full and trusted process launch path.*|`/bin/cat`<br/>`cat`<br/>`c?t`|
 
 > [!IMPORTANT]
-> The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. When implementing global process exclusions, exclude only what is absolutely necessary to ensure system reliability and security. Verify that the process is known and trusted, specify the complete path to the process location, and confirm that the process will consistently launch from the same trusted full path.
+> The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. When implementing global process exclusions, exclude only what is necessary to ensure system reliability and security. Verify that the process is known and trusted, specify the complete path to the process location, and confirm that the process will consistently launch from the same trusted full path.
 
 ### File, folder, and process exclusions support the following wildcards:
 
@@ -87,11 +87,11 @@ Wildcard|Description|Examples|
 
 ## How to configure the list of exclusions
 
-You can configure exclusions using a management console, Defender for Endpoint security settings management, or the command line.
+You can configure exclusions using a management Json configuration, Defender for Endpoint security settings management, or the command line.
 
 ### Using the management console
 
-To configure exclusions from Puppet, Ansible, or another management console, please refer to the following sample `mdatp_managed.json`.
+In enterprise environments, exclusions can also be managed through a configuration profile. Typically, you would use a configuration management tool like Puppet, Ansible, or another management console to push a file with the name `mdatp_managed.json` at the location `/etc/opt/microsoft/mdatp/managed/`. For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md). Please refer to the following sample of `mdatp_managed.json`. 
 
 ```JSON
 {
@@ -138,43 +138,39 @@ To configure exclusions from Puppet, Ansible, or another management console, ple
 }
 ```
 
-For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
-
 ### Using Defender for Endpoint security settings management
 
 > [!NOTE]
+> This method is currently in private Preview. To enable this feature, please reach out to [email protected].
 > Make sure to review the prerequisites: [Defender for Endpoint security settings management prerequisites](/mem/intune/protect/mde-security-integration#prerequisites)
 
-As a security administrator, you can configure Defender for Endpoint exclusions using the Microsoft Defender portal. This method is referred to as Defender for Endpoint security settings management. If you're using this method for the first time, make sure to complete the following procedures:
+You can use the Microsoft Intune admin center or the Microsoft Defender portal to manage exclusions as endpoint security policies and assign those policies to Microsoft Entra ID groups. If you're using this method for the first time, make sure to complete the following steps:
 
 #### 1. Configure your tenant to support security settings management
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), navigate to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope**, and then select the Linux platform. 
 
-2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that are not enrolled with Intune](/mem/intune/protect/mde-security-integration).
+2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that aren't enrolled with Intune](/mem/intune/protect/mde-security-integration).
 
 #### 2. Create a Microsoft Entra group
 
-Create a dynamic Microsoft Entra group that uses the operating system type to ensure that all devices onboarded to Defender for Endpoint receive policies. Using a dynamic group allows devices managed by Defender for Endpoint to be automatically added to the group, eliminating the need for admins to create new policies manually. For more information, see the following articles:
-
-- [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
-- [Microsoft Entra groups overview](/entra/fundamentals/concept-learn-about-groups)
+Create a dynamic Microsoft Entra group based on the operating system type to ensure that all devices onboarded to Defender for Endpoint receive the appropriate policies. This dynamic group automatically includes devices managed by Defender for Endpoint, eliminating the need for admins to manually create new policies. For more information, see the following article: [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
 
 #### 3. Create an endpoint security policy 
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new Policy**. 
 
 2. For Platform, select **Linux**.
 
-3. Select the required exclusion template (**Microsoft defender global exclusion (AV+EDR) for global exclusions and Microsoft defender antivirus exclusions for antivirus exclusions**), and then select **Create policy**.
+3. Select the required exclusion template (`Microsoft defender global exclusions (AV+EDR)` for global exclusions and `Microsoft defender antivirus exclusions` for antivirus exclusions), and then select **Create policy**.
 
 4. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
 
 5. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.
 
 6. When you're done configuring settings, select **Next**.
 
-7. On the **Assignments** page, select the groups that will receive this profile. Then select **Next**.
+7. On the **Assignments** page, select the groups that receive this profile. Then select **Next**.
 
 8. On the **Review + create** page, when you're done, select **Save**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
@@ -420,7 +416,7 @@ To get the name of a detected threat, run the following command:
 mdatp threat list
 ```
 
-For example, to add `EICAR-Test-File (not a virus)` to the allow list, run the following command:
+For example, to add `EICAR-Test-File (not a virus)` to the allowlist, run the following command:
 
 ```bash
 mdatp threat allowed add --name "EICAR-Test-File (not a virus)"