Merge branch 'main' into docs-editor/submissions-outlook-report-mes-1764701982

Author: chrisda

defender-endpoint/mac-whatsnew.md

@@ -59,6 +59,7 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 ## Releases for Defender for Endpoint on macOS
 
+
 ### Offline updates for security intelligence updates on macOS is now in public preview
 
 This feature enables organizations to configure offline updates for security intelligence updates (also referred to as definition updates or signatures) on macOS using a local mirror server. For more information, see [Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS (preview)](./mac-support-offline-security-intelligence-update.md).
@@ -67,6 +68,19 @@ This feature enables organizations to configure offline updates for security int
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Nov-2025 (Build: 101.25102.0016 | Release version: 20.125102.16.0)
+
+| Build: | **101.25102.0016** |
+|--------------------|-----------------------|
+| Release version: | **20.125102.16.0** |
+| Engine version: | **1.1.25090.2000** |
+| Signature version: | **1.435.600.0** |
+
+##### What's new
+
+- Bug and performance fixes
+
+
 ### Oct-2025 (Build: 101.25082.0006  | Release version: 20.125082.6.0)
 
 | Build:             | **101.25082.0006**         |

defender-for-cloud-apps/anomaly-detection-policy.md

@@ -36,7 +36,6 @@ Based on the policy results, security alerts are triggered. Defender for Cloud A
 > - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
 > - [Unusual ISP for an OAuth App](#unusual-isp-for-an-oauth-app).
 > - [Suspicious file access activity (by user)](#unusual-activities-by-user).
-> - [Ransomware activity](#ransomware-activity).
 >
 > You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
 
@@ -92,10 +91,6 @@ This detection identifies that users were active from an IP address that has bee
 
 ### Ransomware activity
 
-> [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Ransomware payment instruction file uploaded to {Application}**.
-> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
-
 Defender for Cloud Apps extended its ransomware detection capabilities with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. Using our security research expertise to identify behavioral patterns that reflect ransomware activity, Defender for Cloud Apps ensures holistic and robust protection. If Defender for Cloud Apps identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions. For more information about how Defender for Cloud Apps detects ransomware, see [Protecting your organization against ransomware](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware).
 
 ### Activity performed by terminated user

defender-for-identity/deploy/prerequisites-sensor-version-3.md

@@ -110,4 +110,4 @@ We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/
 The *Test-MdiReadiness.ps1* script is also available from Microsoft Defender XDR, on the **Identities > Tools** page (Preview).
 
 ## Next step
-[Plan capacity for Microsoft Defender for Identity](capacity-planning.md)
+[Activate the Microsoft Defender for Identity sensor](activate-sensor.md)

defender-for-identity/identity-inventory.md

@@ -46,7 +46,8 @@ There are several options you can choose from to customize the identities list v
 > [!NOTE]
 > When exporting the identities list to a CSV file, a maximum of 5,000 identities are displayed.
 
-## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)
+:::image type="content" source="media/identity-inventory/inventory-page.png" alt-text="Screenshot of the identity inventory page in the Microsoft Defender portal.":::
+
 
 ### Identity details 
 

defender-for-identity/link-unlink-account-to-identity.md

@@ -59,7 +59,7 @@ Follow these steps to manually link accounts to a selected identity.
 1. Navigate to **Assets** > **Identity Inventory**.
 1. Select an **Identity** from the list.
 
-    :::image type="content" source="media/identity-inventory/inventory11.png" alt-text="Screenshot of the Identity Inventory page in the Defender portal. " lightbox="media/identity-inventory/inventory11.png":::
+      :::image type="content" source="media/identity-inventory/inventory-page.png" alt-text="Screenshot of the identity inventory page in the Microsoft Defender portal." lightbox="media/identity-inventory/inventory-page.png":::
 
 1. Select the **Observed in organization** tab.
 1. Open the **Accounts** tab.
@@ -73,22 +73,31 @@ Follow these steps to manually link accounts to a selected identity.
     - Security identifier (SID)
     - Source provider account
 1. Select one account from the table.
+
+    :::image type="content" source="media/link-unlink-account-to-identity/select-accounts.png" alt-text="Screenshot that shows a list of accounts that you can link. " lightbox="media/link-unlink-account-to-identity/select-accounts.png":::
+
 1. Select **Next**.
 1. Enter a short justification comment explaining why you're linking these accounts.
 1. Your justification must:
     - Be between 1 and 50 characters
     - Use only letters, numbers, spaces, @, and _
     - If your input includes invalid characters or exceeds the limit, an error message will appear.
+
+    :::image type="content" source="media/link-unlink-account-to-identity/enter-justification.png" alt-text="Screenshot that shows where to enter the justification for why you are linking the accounts." lightbox="media/link-unlink-account-to-identity/enter-justification.png":::
+
 1. Select **Next**.
 1. Review the selected accounts and your justification.
+
+    :::image type="content" source="media/link-unlink-account-to-identity/review-and-finish.png" alt-text="Screenshot that shows the review of the selected accounts and the justification." lightbox="media/link-unlink-account-to-identity/review-and-finish.png":::
+
 1. Confirm that the accounts listed are correct.
 1. The account list refreshes automatically.
 
 ## Unlink accounts from an identity
 
 Follow these steps to manually unlink accounts from a selected identity.
 
-1. Go to **Identity Inventory > Observed in organization**
+1. Go to **Identity Inventory > Observed in organization**.
 1. Open the **Accounts** tab.
 1. Select one account set from the table.
 1. Select **Unlink account**.