Merge branch 'AHtimeilne' of https://github.com/mberdugo/defender-docs-pr into AHtimeilne

Author: mberdugo

defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md

@@ -109,7 +109,6 @@ The following table lists solutions:
 |Solution|Description|
 |:---|:---|
 | Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check.|
-| Solution (Preferred 2) | 1. Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **Certificate Path Validation Settings**.<br/>2. Select the **Network Retrieval** tab, and then select **Define these policy settings**.<br/>3. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box.<br/><br/> Here are some useful resources: <br/> - [Configure Trusted Roots and Disallowed Certificates](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11))<br/>- [Improving application Start up time: GeneratePublisherEvidence setting in Machine.config](/archive/blogs/amolravande/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config)|
 | Work-around solution (Alternative) <br/> *This is not a best practice since you're no longer checking for revoked certificates or certificate pinning.*| Disable CRL check only for SPYNET. <br/> Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won't impact other services.<br/><br/> Go to **HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet**, and then set `SSLOptions (dword)` to `2` (hex). <br/>For reference, here are possible values for the DWORD: <br/> - `0 – disable pinning and revocation checks` <br/> - `1 – disable pinning` <br/>  - `2 – disable revocation checks only` <br/> - `3 – enable revocation checks and pinning (default)` |
 
 ## Attempt to download a fake malware file from Microsoft

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -98,13 +98,10 @@ Improved Defender update reliability by allowing non-admin processes to trigger
 
 - Enhanced Passive Mode Scanning Behavior
 When Microsoft Defender is in Passive mode, an Antivirus scan will not occur after a signature update , unless specifically set in the policy setting DisableScanOnUpdate.
-
 - Improved Tamper Protection Handling
 Optimized the configuration process for Tamper Protection in multi-threaded environments to ensure more reliable behavior.
-
 - Digital Signature Verification Performance Boost
 Enhanced the efficiency of digital signature verification to improve overall system performance.
-
 - Refined ASR Rule Exclusion Processing
 Refined exclusion processing and resolved false positives for the Attack Surface Reduction (ASR) rule: Block Office applications from injecting code into other processes.
 

defender-endpoint/web-threat-protection.md

@@ -27,47 +27,29 @@ appliesto:
 
 
 
-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you are blocked because they're in your [custom indicator list](indicators-overview.md).
+Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you've blocked because they're in your [custom indicator list](indicators-overview.md).
 
 > [!NOTE]
 > It might take up to two hours for devices to receive new custom indicators.
 
 ## Prerequisites
 
-Web protection uses network protection to provide web browsing security on Microsoft Edge and non-Microsoft web browsers.
+Web threat protection uses network protection to provide web browsing security in Edge (excepting Windows devices), non-Microsoft web browsers and nonbrowser processes. On Windows devices, web threat protection in Edge uses Microsoft Defender SmartScreen and network protection isn't required to be enabled. 
+
+To turn on Microsoft Defender SmartScreen in Edge: [Configure Microsoft Defender SmartScreen](/deployedge/microsoft-edge-policies#smartscreenenabled).
 
 To turn on network protection on your devices:
 
 - Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline)
 - Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
 
 > [!NOTE]
-> If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+> If you set network protection to **Audit only**, blocking is unavailable. Also, you are able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
 
 ## Configure web threat protection
 
-The following procedure describes how to configure web threat protection using the Microsoft Intune admin center.
-
-1. Go to the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)), and sign in.
- 
-2. Choose **Endpoint security** \> **Attack surface reduction**, and then choose **+ Create policy**.
-
-3. Select a platform, such as **Windows 10 and later**, select the **Web protection** profile, and then choose **Create**. 
-
-4. On the **Basics** tab, specify a name and description, and then choose **Next**.
-
-5. On the **Configuration settings** tab, expand **Web Protection**, specify your settings, and then choose **Next**.
-
-   - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it works in your environment. In audit mode, network protection doesn't prevent users from visiting sites or domains, but it does track detections as events. 
-   - To protect users from potential phishing scams and malicious software, turn **Require SmartScreen for Microsoft Edge Legacy** to **Yes**.
-   - To prevent users from bypassing warnings about potentially malicious sites, set **Block malicious site access** to **Yes**.
-   - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** to **Yes**. 
-
-6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you aren't using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-
-7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**.
+The legacy **Web protection** policy in Intune has been deprecated and web threat protection will be enabled if the prerequisites are met.
 
-8. On the **Review + create** tab, review your policy settings, and then choose **Create**.
 
 ## Related articles
 

defender-xdr/autoad-results.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-ms.date: 04/25/2025
+ms.date: 10/21/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -27,19 +27,19 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-When an automatic attack disruption triggers in Microsoft Defender XDR, the details about the risk and the containment status of compromised assets are available during and after the process. You can view the details on the incident page, which provides the full details of the attack and the up-to-date status of associated assets.
+When an automatic attack disruption triggers in Microsoft Defender XDR, you can view the details about the risk and the containment status of compromised assets during and after the process. You can view the details on the incident page, which provides the full details of the attack and the up-to-date status of associated assets.
 
 ## Review the incident graph
 
 Microsoft Defender XDR automatic attack disruption is built-in in the incident view. Review the incident graph to get the entire attack story and assess the attack disruption impact and status.
 
 The incident page includes the following information:
 
-- Disrupted incidents include a tag for 'Attack Disruption' and the specific threat type identified (i.e., ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.
+- Disrupted incidents include a tag for 'Attack Disruption' and the specific threat type identified (for example, ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.
 - A highlighted notification below the incident title indicating that the incident was disrupted.
 - Suspended users and contained devices appear with a label indicating their status.
 
-To release a user account or a device from containment, click on the contained asset and click **release from containment** for a device or **enable user** for a user account.
+To release a user account or a device from containment, select the contained asset and select **release from containment** for a device or **enable user** for a user account.
 
 ## Track the actions in the Action center
 
@@ -52,18 +52,18 @@ You can release the contained assets, for example, enable a blocked user account
 
 You can use specific queries in [advanced hunting](advanced-hunting-overview.md) to track contain device or user, and disable user account actions.
 
-### Hunt for contain actions
+### Containment-related events in advanced hunting
 
-Contain actions triggered by attack disruption are found in the [DeviceEvents table](advanced-hunting-deviceevents-table.md) in advanced hunting. Use the following queries to hunt for these specific contain actions:
+Containment in Microsoft Defender for Endpoint prevents further threat actor activity by blocking communication from contained entities. In advanced hunting, the [DeviceEvents table](advanced-hunting-deviceevents-table.md) logs **block actions that result from containment**, not the initial containment action itself:
 
-- Device contain actions:
+- **Device-derived block actions** - These events indicate activity (such as network communication) that was *blocked because the device was contained*:
 
   ```Kusto
   DeviceEvents
   | where ActionType contains "ContainedDevice"
   ```
 
-- User contain actions:
+- **User-derived block actions** - These events indicate activity (such as sign-in or resource access attempts) that was *blocked because the user was contained*:
 
   ```Kusto
   DeviceEvents
@@ -72,7 +72,7 @@ Contain actions triggered by attack disruption are found in the [DeviceEvents ta
 
 ### Hunt for disable user account actions
 
-Attack disruption uses the remediation action capability of Microsoft Defender for Identity to disable accounts. Defender for Identity uses the LocalSystem account of the domain controller by default for all remediation actions. 
+Attack disruption uses the remediation action capability of Microsoft Defender for Identity to disable accounts. By default, Microsoft Defender for Identity uses the LocalSystem account of the domain controller for all remediation actions. 
 
 The following query looks for events where a domain controller disabled user accounts. This query also returns user accounts disabled by automatic attack disruption by triggering account disable in Microsoft Defender XDR manually: 
 
@@ -94,7 +94,7 @@ IdentityDirectoryEvents
 | project TimeGenerated, TargetAccountUpn, ACTOR_DEVICE
 ```
 
-The above query was adapted from a [Microsoft Defender for Identity - Attack Disruption query](https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Identity/MDI-AttackDisruption.md#microsoft-365-defender).
+The preceding query was adapted from a [Microsoft Defender for Identity - Attack Disruption query](https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Identity/MDI-AttackDisruption.md#microsoft-365-defender).
 
 ## Related content