Merge branch 'main' into WI474429-mda-discovery-exclude-entities

Author: DeCohen

.openpublishing.redirection.defender-office-365.json

@@ -59,6 +59,11 @@
       "source_path": "defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md",
       "redirect_url": "/defender-office-365/submissions-outlook-report-messages",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/tenant-wide-setup-for-increased-security.md",
+      "redirect_url": "/security/zero-trust/zero-trust-identity-device-access-policies-overview",
+      "redirect_document_id": false
     }
   ]
 }

ATPDocs/deploy/deploy-defender-identity.md

@@ -23,10 +23,10 @@ Identify your architecture and your requirements, and then use the table below t
 |Server configuration   |Server Operating System  |Recommended deployment |
 |---------|---------|---------|---------|
 |Domain controller     | Windows Server 2019 or later with the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
-|Domain controller      |Windows Server 2016 or earlier         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
-|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    NA     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  NA       |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Entra Connect](active-directory-federation-services.md)|  NA    |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
+|Domain controller      |Windows Server 2016 or later         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
+|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    Windows Server 2016 or later      |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  Windows Server 2016 or later        |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Entra Connect](active-directory-federation-services.md)|  Windows Server 2016 or later     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
 
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.

ATPDocs/whats-new.md

@@ -23,6 +23,16 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## August 2025
+
+### Sensor version 2.246
+
+This version includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.
+
+### Detection update: Suspected Brute Force attack (Kerberos, NTLM)
+
+Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase.
+
 
 ## July 2025
 
@@ -34,17 +44,17 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
 
 ### New security posture assessments for unmonitored identity servers
 
-Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
+Microsoft Defender for Identity three new security posture assessments detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
 
 Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
 
-For more details, see:
+For more information, see:
 
 [Security Assessment: Unmonitored ADCS servers](unmonitored-active-directory-certificate-services-server.md)
 
 [Security Assessment: Unmonitored ADFS servers](unmonitored-active-directory-federation-services-servers.md)
 
-[Security Assessment: Unmonitored Entra Connect servers](unmonitored-entra-connect-servers.md)
+[Security Assessment: Unmonitored Microsoft Entra Connect servers](unmonitored-entra-connect-servers.md)
 
 
 
@@ -62,7 +72,7 @@ Scoping by Active Directory domains helps:
 
 - Support operational boundaries: Align access for SOC analysts, identity administrators, and regional teams.
 
-For more information see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
+For more information, see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
 
 
 ### Okta integration is now available in Microsoft Defender for Identity
@@ -103,7 +113,7 @@ Defender for Identity now supports deploying its new sensor on Domain Controller
 The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify noneligible servers and take action to update and onboard them for enhanced identity protection.
 
 
-### Local administrators collection (using SAM-R queries) feature will be disabled
+### Local administrators collection (using SAM-R queries) feature is disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change occurs automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue
@@ -149,7 +159,7 @@ For more information, see: [Investigate and protect Service Accounts | Microsoft
 
 ### Enhanced Identity Inventory
 
-The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  
+The Identities page under *Assets* was updated to provide better visibility and management of identities across your environment.  
 The updated Identities Inventory page now includes the following tabs:
 
 - Identities: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information. 

CloudAppSecurityDocs/proxy-intro-aad.md

@@ -6,9 +6,8 @@ ms.topic: concept-article
 ---
 # Conditional Access app control in Microsoft Defender for Cloud Apps
 
-In today's workplace, it's not enough to know what happened in your cloud environment after the fact. You need to stop breaches and leaks in real time. You also need to prevent employees from intentionally or accidentally putting your data and organization at risk.
-
-You want to support users in your organization while they use the best cloud apps available and bring their own devices to work. However, you also need tools to protect your organization from data leaks and theft in real time. Microsoft Defender for Cloud Apps integrates with any identity provider (IdP) to deliver this protection with [access](access-policy-aad.md) and [session](session-policy-aad.md) policies.
+In today’s workplace, it’s not enough to understand what happened in your cloud environment after the fact, you need to stop breaches and data leaks as they happen. That includes preventing employees from intentionally or accidentally putting your data and organization at risk.
+Microsoft Defender for Cloud Apps helps you strike the right balance: enabling productivity with the best cloud apps while protecting your data in real time. It delivers deep visibility and control over **browser-based sessions** through integration with any identity provider (IdP), using powerful [access](access-policy-aad.md) and [session](session-policy-aad.md) policies.
 
 For example:
 
@@ -26,6 +25,8 @@ Microsoft Edge users benefit from [direct, in-browser protection](in-browser-pro
 
 Users of other browsers are redirected via reverse proxy to Defender for Cloud Apps. Those browsers display an `*.mcas.ms` suffix in the link's URL. For example, if the app URL is `myapp.com`, the app URL is updated to `myapp.com.mcas.ms`.
 
+To prevent bypassing this protection, admins should configure access policies to block native client access and allow only browser-based sessions.
+
 This article describes Conditional Access app control in Defender for Cloud Apps through [Microsoft Entra Conditional Access](/entra/identity/conditional-access/overview) policies.
 
 ## Activities in Conditional Access app control

defender-endpoint/TOC.yml

@@ -803,6 +803,8 @@
         href: microsoft-defender-endpoint-antivirus-performance-mode.md
       - name: Compatibility with other security products
         href: microsoft-defender-antivirus-compatibility.md
+      - name: Defender for Endpoint passive mode
+        href: microsoft-defender-passive-mode.md
       - name: Microsoft Defender Antivirus and third-party antivirus solutions without
           Defender for Endpoint
         href: defender-antivirus-compatibility-without-mde.md

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -406,8 +406,8 @@ This rule blocks executable files, such as .exe, .dll, or .scr, from launching.
 
 > [!IMPORTANT]
 > You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
-> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and isn't specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
-> You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+> This rule uses cloud-delivered protection to update its trusted list regularly.
+> You can specify individual files or folders by using folder paths or fully qualified resource names. It also supports the **ASROnlyPerRuleExclusions** setting.
 
 Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
 
@@ -583,6 +583,9 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block rebooting machine in Safe Mode
 
+> [!NOTE]
+> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
+
 This rule prevents the execution of commands to restart machines in Safe Mode. Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
 
 Intune Name: ` Block rebooting machine in Safe Mode`
@@ -621,6 +624,9 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block use of copied or impersonated system tools
 
+> [!NOTE]
+> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
+
 This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines. 
 
 Intune Name: `Block use of copied or impersonated system tools`
@@ -652,7 +658,7 @@ GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
 Dependencies: Microsoft Defender Antivirus
 
 > [!NOTE]
-> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management.
+> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Exchange servers.
 
 ### Block Win32 API calls from Office macros
 

defender-endpoint/configure-endpoints-vdi.md

@@ -103,6 +103,10 @@ The following steps guide you through onboarding VDI devices and highlight steps
    | Single entry for each device | 1. Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it's triggered automatically. |
    | Multiple entries for each device | 1. Select the **Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). <br/>2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. |
 
+   > [!NOTE]
+   > When using the 'Single entry for each device' onboarding method for non-persistent VDI environments, ensure that the Onboard-NonPersistentMachine.ps1 script is executed only after the virtual machine has received its final hostname and completed its final reboot.<br>
+   > For example, if your VDI provisioning process includes multiple reboots or configuration stages after the VM is cloned from a master image, delay the script execution until the last reboot is complete and final machine name is assigned.<br> Running the script too early may result in duplicate device entries or inconsistent onboarding to Microsoft Defender for Endpoint.
+
 5. Test your solution by following these steps:
 
    1. Create a pool with one device.

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 06/06/2025
+ms.date: 07/30/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -79,7 +79,7 @@ Understand the following prerequisites before you create indicators for files:
 
 ## Create an indicator for files from the settings page
 
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
+1. In the navigation pane, select **System** \> **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
 
 2. Select the **File hashes** tab.
 

defender-endpoint/mac-whatsnew.md

@@ -70,12 +70,24 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Jul-2025 (Build: 101.25062.0005  | Release version: 20.125062.5.0)
+
+| Build:             | **101.25062.0005**   |
+|--------------------|----------------------|
+| Release version:   | **20.125062.5.0**    |
+| Engine version:    | **1.1.25040.3000**   |
+| Signature version: | **1.427.248.0**      |
+
+##### What's new
+
+- Bug and performance fixes
+
 ### Jun-2025 (Build: 101.25052.0012  | Release version: 20.125052.12.0)
 
-| Build:             | **101.25052.0012**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125052.12.0** |
-| Engine version:    | **1.1.25060.3000**       |
+| Build:             | **101.25052.0012**   |
+|--------------------|----------------------|
+| Release version:   | **20.125052.12.0**   |
+| Engine version:    | **1.1.25060.3000**   |
 | Signature version: | **1.431.226.0**      |
 
 ##### What's new
@@ -84,10 +96,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### May-2025 (Build: 101.25042.0009  | Release version: 20.125042.9.0)
 
-| Build:             | **101.25042.0009**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125042.9.0** |
-| Engine version:    | **1.1.25040.3000**       |
+| Build:             | **101.25042.0009**   |
+|--------------------|----------------------|
+| Release version:   | **20.125042.9.0**    |
+| Engine version:    | **1.1.25040.3000**   |
 | Signature version: | **1.429.521.0**      |
 
 ##### What's new
@@ -97,10 +109,10 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ### Apr-2025 (Build: 101.25032.0006  | Release version: 20.125032.6.0)
 
-| Build:             | **101.25032.0006**         |
-|--------------------|-----------------------|
-| Release version:   | **20.125032.6.0** |
-| Engine version:    | **1.1.25020.3000**       |
+| Build:             | **101.25032.0006**   |
+|--------------------|----------------------|
+| Release version:   | **20.125032.6.0**    |
+| Engine version:    | **1.1.25020.3000**   |
 | Signature version: | **1.427.158.0**      |
 
 ##### What's new