Merge branch 'main' into patch-20

aditisrivastava07 · web-flow · commit 426d75e51293 · 2025-06-30T13:23:41.000+05:30
diff --git a/ATPDocs/deploy/configure-windows-event-collection.md b/ATPDocs/deploy/configure-windows-event-collection.md
@@ -235,15 +235,16 @@ To configure domain object auditing:
 
         Now, all relevant changes to directory services appear as 4662 events when they're triggered.
 
-1. Repeat the steps in this procedure, but for **Applies to**, select the following object types:
+1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
-   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects** <sup>2</sup>
 
 > [!NOTE]
-> Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 1. Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 2. The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
 
 ## Configure auditing on AD FS
 
diff --git a/ATPDocs/identity-inventory.md b/ATPDocs/identity-inventory.md
@@ -110,7 +110,7 @@ Sort option applies to Display name, Domain, and Created time columns.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 
-At the top of each device inventory tab, the following device counts are available:
+At the top of the page, the following identities counts are available:
 
 - __Total__: The total number of identities. 
 
@@ -120,7 +120,7 @@ At the top of each device inventory tab, the following device counts are availab
 
 - **Services:** The number of all service accounts both on-premises and cloud.
 
-You can use this information to help you prioritize devices for security posture improvements.
+You can use this information to help you prioritize identities for security posture improvements.
 
 ### Navigate to the Identity inventory page
 
diff --git a/ATPDocs/ops-guide/ops-guide.md b/ATPDocs/ops-guide/ops-guide.md
@@ -13,7 +13,7 @@ This article summarizes the Microsoft Defender for Identity activities we recomm
 
 |Cadence  |Tasks  |
 |---------|---------|
-|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br> - [Investigate users with a high investigation score](ops-guide-daily.md#investigate-users-with-a-high-investigation-score) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
+|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
 |**Weekly**     |- [Review Secure score recommendations](ops-guide-weekly.md#review-secure-score-recommendations) <br>  - [Review and respond to emerging threats](ops-guide-weekly.md#review-and-respond-to-emerging-threats) <br>- [Proactively hunt](ops-guide-weekly.md#proactively-hunt)   |
 |**Monthly**     | - [Review tuned alerts and adjust tuning if needed](ops-guide-monthly.md#review-tuned-alerts-and-adjust-tuning-if-needed) <br> - [Track new changes in Microsoft Defender XDR and Defender for Identity](ops-guide-monthly.md#track-new-changes-in-microsoft-defender-xdr-and-defender-for-identity)     |
 | **Quarterly / Ad hoc** <br>Depending on your organization's needs and processes | - [Review Microsoft service health](ops-guide-quarterly.md#review-microsoft-service-health) <br> - [Review server setup process to include sensors](ops-guide-quarterly.md#review-server-setup-process-to-include-sensors) <br>- [Check domain configuration via PowerShell](ops-guide-quarterly.md#check-domain-configuration-via-powershell) |
diff --git a/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md b/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
@@ -81,7 +81,7 @@ Each source has typical scenarios that depend on how your network is configured,
 |---|---|
 |Windows Server Update Service|You're using Windows Server Update Service to manage updates for your network.|
 |Microsoft Update|You want your endpoints to connect directly to Microsoft Update. This option is useful for endpoints that irregularly connect to your enterprise network, or if you don't use Windows Server Update Service to manage your updates.|
-|File share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments.|
+|UNC Share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments. Platform updates can also be deployed using this method. |
 |Microsoft Endpoint Configuration Manager|You're using Microsoft Endpoint Configuration Manager to update your endpoints.|
 |Security intelligence updates and platform updates for Microsoft Defender Antivirus and other Microsoft anti-malware (formerly referred to as MMPC)|[Make sure devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence and platform updates are delivered through Windows Update. As of October 21, 2019, security intelligence updates and platform updates are SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should be used only as a final fallback source, and not the primary source. It's only to be used if updates can't be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](manage-outdated-endpoints-microsoft-defender-antivirus.md#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
 
@@ -274,6 +274,32 @@ On a Windows File Server set up a network file share (UNC/mapped drive) to downl
     > [!NOTE]
     > Do not add the x64 (or x86) folder in the path. The `mpcmdrun.exe` process adds it automatically.
 
+## Enable platform updates using UNC share
+
+To enable platform updates using UNC share, download KB4052623 and copy it into the architecture folders as `updateplatform.exe`. These files are updated monthly and need to get manually updated by you.
+
+KB4052623 is available for the following architectures:
+
+* [x86](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x86)
+
+* [amd64](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x64)
+
+* [arm64](https://go.microsoft.com/fwlink/?LinkID=851034&clcid=0x409&arch=arm64) 
+
+**Example structure**
+
+```dos
+[UNC Share]\ 
+    x86\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+    x64\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+```
+
 ## Related articles
 
 - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/defender-endpoint/microsoft-defender-antivirus-updates.md b/defender-endpoint/microsoft-defender-antivirus-updates.md
@@ -71,6 +71,7 @@ You can manage the distribution of updates through one of the following methods:
 - [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
 - [Microsoft Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
 - The usual methods you use to deploy Microsoft and Windows updates to endpoints in your network.
+- UNC Share
 
 For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 
diff --git a/unified-secops-platform/TOC.yml b/unified-secops-platform/TOC.yml
@@ -104,6 +104,9 @@
               href: mto-advanced-hunting.md
             - name: Multitenant devices
               href: mto-tenant-devices.md
+            - name: Multitenant identities
+              href: multitenant-identities-inventory.md
+              displayName: MTO
             - name: Vulnerability management
               href: mto-dashboard.md
             - name: Manage tenants
diff --git a/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-inventory.png b/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-inventory.png
diff --git a/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-tenant-details-on-identity.png b/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-tenant-details-on-identity.png
diff --git a/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-tenant-details.png b/unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-tenant-details.png
diff --git a/unified-secops-platform/multitenant-identities-inventory.md b/unified-secops-platform/multitenant-identities-inventory.md
@@ -0,0 +1,61 @@
+---
+# Required metadata
+# For more information, see https://learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata
+# For valid values of ms.service, ms.prod, and ms.topic, see https://learn.microsoft.com/en-us/help/platform/metadata-taxonomies
+
+title: Multitenant identities
+description: A multi-tenant identity inventory
+author: LiorShapiraa
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date: 06/29/2025
+---
+
+# Identities
+
+The **Identities** page in multitenant management enables you to quickly manage tenants and identities.
+
+## Identity inventory
+
+The Identity inventory page lists all the identities in each tenant that you have access to. The page is like the [Defender for Identity inventory](/defender-for-identity/identity-inventory) with the addition of the **Tenant name** column and filter. 
+
+You can navigate to the identity inventory page by selecting **Assets > Identities** in Microsoft Defender XDR's navigation menu.
+
+:::image type="content" source="media/multitenant-identities-inventory/screenshot-of-inventory.png" alt-text="Screenshot of inventory." lightbox="media/multitenant-identities-inventory/screenshot-of-inventory.png":::
+   
+At the top of the page, the following identities counts are available for all tenants:
+
+**Total**: The total number of identities.
+
+**Critical:** The number of your critical assets.
+
+**Disabled:** The number of all disabled identities in your organization.
+
+**Services:** The number of all service accounts both on-premises and cloud.
+
+You can use this information to help you prioritize identities for security posture improvements.
+
+Highly privileged identities card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Microsoft Entra ID security administrators and Global admin users.
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Search for an identity by name or full UPN, SID, and Object ID.
+
+- Export the list to a CSV file.
+
+- Copy list link with the included filters configured.
+
+> [!NOTE]
+> When exporting the identities list to a CSV file, a maximum of 5,000 identities are displayed.
+
+To view full identity details, select a specific identity from the list. Tenant ID and Tenant name are available in the identity side panel and page:
+
+:::image type="content" source="media/multitenant-identities-inventory/screenshot-of-tenant-details-on-identity.png" alt-text="Screenshot of tenant details on identity.":::
+
+
+
