Merge branch 'main' into docs-editor/switch-to-mde-phase-2-1750089266

Author: denisebmsft

ATPDocs/deploy/remote-calls-sam.md

@@ -9,8 +9,8 @@ ms.reviewer: rlitinsky
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
 > [!IMPORTANT]
-> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
-> 
+> As of mid-May 2025, Microsoft Defender for Identity no longer collects local administrators group members from endpoints using SAM-R queries. This data is used to build potential lateral movement path maps, which are no longer being updated. The change was applied automatically—no administrative action or configuration changes were required.
+>
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 

ATPDocs/investigate-security-alerts.md

@@ -11,9 +11,7 @@ Investigate alerts that are affecting your environment, understand what they mea
 
 Begin your investigation by selecting an alert from the **Alerts** page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.
 
-> [!NOTE]
-> The **alert story** and **export to Excel** options are only available for alerts that use the classic Defender for Identity structure.  
-> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 ## Investigate using the alert story
 
@@ -25,6 +23,10 @@ The Important information section includes additional technical details that sup
 
 Together, the alert story, alert graph, and Important information give you a complete picture of the alert. They help you understand what triggered the alert, which entities were involved, and whether the activity requires further investigation or action.
 
+> [!NOTE]
+> The **alert story** is only visible for alerts that use the classic Defender for Identity structure. 
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 ## Take action from the details pane
 Once you've selected an alert of interest, the details pane changes to display information about the selected alert, historic information when it's available, and offer recommended actions to take action on this alert.
 
@@ -35,6 +37,10 @@ Once you're done investigating, go back to the alert you started with, mark the
 
 To get more details on a security alert, select **Export** on an alert details page to download the detailed Excel alert report.
 
+> [!NOTE]
+> The **export to Excel** option is also only available for alerts that use the classic Defender for Identity structure.
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 The downloaded file includes summary details about the alert on the first tab, including:
 

ATPDocs/okta-integration.md

@@ -6,7 +6,7 @@ ms.topic: how-to
 ms. reviewer: izauer-bit 
 ---
 
-# Integrate Okta with Microsoft Defender for Identity
+# Integrate Okta with Microsoft Defender for Identity (Preview)
 
 Okta manages how users and customers sign in and get access to key systems. Since it plays a central role in identity and access management, any compromise whether accidental or intentional can lead to serious security risks. By integrating Microsoft Defender for Identity with Okta, you gain stronger identity protection. Defender for Identity monitors sign-in activity, detects unusual behavior, and highlights threats related to compromised or misused identities. It also identifies risks like suspicious role assignments or unused high-privilege accounts, using Okta data to deliver clear, actionable insights that help keep your organization secure.
 
@@ -23,6 +23,11 @@ Before connecting your Okta account to Microsoft Defender for Identity, make sur
 > [!NOTE]
 > The Super Admin role is required only to create the API token. Once the token is created, remove the role and assign the Read-Only Administrator and Defender for Identity custom roles for ongoing API access.
 
+
+> [!NOTE]
+> If your Okta environment is already integrated with [Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-okta), connecting it to Microsoft Defender for Identity might cause duplicate Okta data, such as user activity, to appear in the Defender portal.
+
+
 ### Connect Okta to Microsoft Defender for Identity
 
 This section provides instructions for connecting Microsoft Defender for Identity to your dedicated Okta account using the connector APIs. This connection gives you visibility into and control over Okta use.
@@ -142,7 +147,7 @@ To complete the configuration in Okta, assign the custom role and resource set t
 1. Paste the API token you copied from your Okta account.
 1. Select **Save**.
 
-:::image type="content" source="media/okta-integration/connect-okta-instance.png" alt-text="Screenshot that shows how to connect your Okta instance.":::
+    :::image type="content" source="media/okta-integration/connect-okta-instance.png" alt-text="Screenshot that shows how to connect your Okta instance.":::
 
 1. Verify that your Okta environment appears in the table as enabled.
 
@@ -151,3 +156,4 @@ To complete the configuration in Okta, assign the custom role and resource set t
 ## Related articles
 
 - [Defender for Identity VPN integration in Microsoft Defender XDR](vpn-integration.md)
+- [Microsoft Defender for Identity extends ITDR capabilities to Okta identities](https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/microsoft-defender-for-identity-extends-itdr-capabilities-to-okta-identities/4418955)

ATPDocs/toc.yml

@@ -91,7 +91,7 @@ items:
   items:
     - name: Integrate Defender for Identity with PAM services
       href: integrate-microsoft-and-pam-services.md
-    - name: Integrate Defender for Identity with Okta
+    - name: Integrate Defender for Identity with Okta (Preview)
       href: okta-integration.md
 - name: Manage
   items:

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: macos
 search.appverid: met150
-ms.date: 04/25/2025
+ms.date: 06/17/2025
 ---
 
 # Microsoft Defender for Endpoint on macOS
@@ -25,38 +25,139 @@ ms.date: 04/25/2025
 This article provides an overview of Microsoft Defender for Endpoint on macOS, including its capabilities and features. It also includes links to additional resources for more information.
 
 **Applies to:**
+
 - [Microsoft Defender XDR](/defender-xdr)
 - [Microsoft Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals?msockid=0f1c3b9963366db31ba02e78621b6c1e#Overview)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-## What is Microsoft Defender for Endpoint on macOS?
-
-Microsoft Defender for Endpoint on macOS is a unified endpoint security solution that provides advanced threat protection, detection, and response capabilities for macOS devices. It helps organizations protect their endpoints from a wide range of threats, including malware, ransomware, and other advanced persistent threats (APTs).
-
-The following table describes capabilities in Defender for Endpoint on macOS:
-
-|Capability|Description|
-|---|---|
-|Device Control| Control access to removable storage devices and peripherals. |
-|Network Protection| Protect against web-based threats by blocking access to malicious websites and content. |
-|Next-generation protection| Use machine learning and behavioral analysis to detect and block advanced threats. |
-|Tamper Protection| Prevent unauthorized changes to security settings and configurations. |
-|Web Protection| Protect against web-based threats by blocking access to malicious websites and content. |
-|Advanced Hunting| Use advanced queries to search for and investigate potential threats across your environment. |
-|Custom file indicators| Create custom indicators to detect specific files or file types. |
-|Custom network indicators| Create custom indicators to detect specific network traffic patterns. |
-|Passive Mode| Run Defender for Endpoint in passive mode to allow coexistence with other endpoint protection solutions. |
-|Sense detection sensor| Collect and analyze telemetry data from endpoints to detect and respond to threats. |
-|Vulnerability management| Identify and manage vulnerabilities across your environment. |
-|Device response capabilities| Collect investigation packages, run antivirus scans, and isolate devices to respond to threats. |
-|Device isolation| Isolate devices from the network to prevent the spread of threats. |
-|Live response| Perform live response actions on devices to investigate and remediate threats. |
+This article describes how to install, configure, update, and use Defender for Endpoint on Mac.
+ 
+[!INCLUDE [side-by-side-scenarios](includes/side-by-side-scenarios.md)]
+
+## What's new in the latest release
+
+[What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-endpoint.md)
+
+[What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md)
+
+> [!TIP]
+> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on Mac on your device and navigating to **Help** \> **Send feedback**.
+
+To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Defender for Endpoint to use the Beta channel (formerly `Insider-Fast`).
+
+## How to install Microsoft Defender for Endpoint on Mac
+
+### Prerequisites
+
+- A Defender for Endpoint subscription and access to the Microsoft Defender portal
+- Beginner-level experience in macOS and BASH scripting
+- Administrative privileges on the device (in manual deployment)
+
+### Installation instructions
+
+There are several methods and deployment tools that you can use to install and configure Defender for Endpoint on Mac.
+
+- [Microsoft Intune-based deployment](mac-install-with-intune.md)
+- Non-Microsoft management tools:
+  - [JAMF-based deployment](mac-install-with-jamf.md)
+  - [Other MDM products](mac-install-with-other-mdm.md)
+- [Manual deployment](mac-install-manually.md) via command line.
+
+### System requirements
+
+These three most recent major releases of macOS are supported.
+
+- 15.0.1 (Sequoia)
+- 14 (Sonoma)
+- 13 (Ventura)
+
+- Supported processors: x64 and ARM64 (Mx processors)
+
+- Disk space: 1GB
+
+- Beta versions of macOS aren't supported.
+
+> [!IMPORTANT]
+> On macOS 11 (Big Sur) and later, Defender for Endpoint requires more configuration profiles. If you're an existing customer upgrading from earlier versions of macOS, make sure to deploy the extra configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md) and detailed in [installation instructions](#installation-instructions).
+
+After you've enabled the service, you might need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+### Licensing requirements
+
+Defender for Endpoint on Mac requires one of the following Microsoft Volume Licensing offers:
+
+- Microsoft 365 E5
+- Microsoft 365 E5 Security
+- Microsoft 365 A5
+- Windows 10 Enterprise E5
+- Microsoft 365 Business Premium
+- Windows 11 Enterprise E5
+- Microsoft Defender for Endpoint P2 (included in Microsoft 365 E5 and E5 Security)
+- Microsoft Defender for Endpoint P1 (included in [Microsoft 365 E3](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639))
+
+> [!NOTE]
+> Eligible licensed users might use Microsoft Defender for Endpoint on up to five concurrent devices.
+> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it doesn't require Microsoft Volume Licensing offers listed.
+
+### Configuring Exclusions
+
+When adding exclusions, be mindful of [common exclusion mistakes for Microsoft Defender Antivirus](common-exclusion-mistakes-microsoft-defender-antivirus.md).
+
+### Network connections
+
+Ensure that connectivity is possible from your devices to Microsoft Defender for Endpoint cloud services. To prepare your environment, please reference [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
+
+Defender for Endpoint can connect through a proxy server by using the following methods:
+
+- Proxy autoconfig (PAC)
+- Web Proxy Autodiscovery Protocol (WPAD)
+- Manual static proxy configuration
+
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
+
+> [!WARNING]
+> Authenticated proxies aren't supported. Ensure that only PAC, WPAD, or a static proxy is being used.
+> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store won't allow for interception.
+
+#### Test network connectivity
+
+To test that a connection isn't blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser.
+
+If you prefer the command line, you can also check the connection by running the following command in Terminal:
+
+```bash
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to the following:
+
+ `OK https://x.cp.wd.microsoft.com/api/report`
+
+ `OK https://cdn.x.cp.wd.microsoft.com/ping`
 
 > [!CAUTION]
-> Running other non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint on macOS is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on macOS EDR functionality after configuring the antivirus functionality to run in [Passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine).
+> We recommend that you keep [System Integrity Protection](https://support.apple.com/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
+
+Once Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
+
+```bash
+mdatp connectivity test
+```
+
+## How to update Microsoft Defender for Endpoint on Mac
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Defender for Endpoint on macOS, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender for Endpoint on Mac](mac-updates.md).
+
+## How to configure Microsoft Defender for Endpoint on Mac
+
+Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint on Mac](mac-preferences.md).
+
+## macOS kernel and system extensions
+
+Starting with macOS 11 (Big Sur), Defender for Endpoint has been fully migrated from kernel extension to system extensions.
 
 ## Resources
 

defender-office-365/TOC.yml

@@ -490,6 +490,8 @@
        href: mdo-data-retention.md
      - name: Privacy in Defender for Office 365
        href: mdo-privacy.md
+     - name: Defender for Office 365 ICES Vendor Ecosystem integration guide
+       href: mdo-ices-vendor-ecosystem.md
      - name: External email senders - Microsoft 365 resources
        items:
        - name: Microsoft 365 services for external email senders