Merge branch 'main' into release-preview-sentinel-graph

Author: v-alje

defender-endpoint/indicators-overview.md

@@ -159,10 +159,9 @@ The IoC API schema and the threat IDs in Advanced Hunting are updated to align w
 
 Microsoft Store apps cannot be blocked by Microsoft Defender because they're signed by Microsoft.
 
-Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. Each issue is investigated by our engineering team.
+Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. 
 
-- **Block indicators**: Generic alerts with informational severity only are created. Custom alerts (that is, custom title and severity) aren't fired in these cases.
-- **Warn indicators**: Generic alerts and custom alerts are possible in this scenario; however, the results aren't deterministic due to an issue with the alert detection logic. In some cases, customers might see a generic alert, whereas a custom alert might show in other cases.
+- **Block and Warn indicators**: Generic alerts with informational severity only are created. Custom alerts (that is, custom title and severity) aren't fired in these cases.
 - **Allow**: No alerts are generated (by design).
 - **Audit**: Alerts are generated based on the severity provided by the customer (by design).
 - In some cases, alerts coming from EDR detections might take precedence over alerts stemming from antivirus blocks, in which case an information alert is generated.

defender-endpoint/linux-whatsnew.md

@@ -43,6 +43,24 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### September-2025 Build: 101.25082.0003 | Release version: 30.125082.0003.0
+
+|Build:             |**101.25082.0003**    |
+|-------------------|----------------------|
+|Released:          |**September 25, 2025**|
+|Published:         |**September 25, 2025**|
+|Expiry:            |**Jun 04, 2026**|
+|Release version:   |**30.125082.0003.0**|
+|Engine version:    |**1.1.25070.4000**|
+|Signature version: |**1.435.242.0**|
+
+What's new
+- Vulnerability detection for Langflow, an open-source Python framework for building AI workflows and agents, has been enhanced with dynamic detection using advanced telemetry and Python package scanning. This includes the detection of CVE-2025-3248 with a CVSS score of 9.8, ensuring comprehensive vulnerability coverage.
+
+- Client Analyzer is now bundled directly within the MDE package, eliminating the need for separate downloads. Both the binary and Python versions are included by default and can be found at /opt/microsoft/mdatp/tools/client_analyzer/. This ensures consistent availability across environments and streamlines troubleshooting for customers by making diagnostic tools readily accessible out-of-the-box.
+
+- Other quality and stability fixes.
+
 ### September-2025 Build: 101.25072.0003 | Release version: 30.125072.0003.0
 
 |Build:             |**101.25072.0003**    |
@@ -74,7 +92,6 @@ What's new
 - The `mdatp threat quarantine add` command now requires superuser (root) privileges.
 - Custom definition path can now be updated without stopping Defender for Endpoint. Previously, this required stopping the service, but with this release onwards, updates to the definition path can be made dynamically, improving operational efficiency and reducing downtime.
 - Running Defender for Endpoint on Linux alongside Fapolicyd is now supported on RHEL and Fedora-based distributions, enabling both antivirus (real-time protection) and EDR functionality to operate without conflict. For other fanotify-based tools, MDE can still be used safely by setting the antivirus enforcement level to passive, helping avoid system instability.
-- Both the binary and Python versions of Client Analyzer are now included in the local package. There is no longer a need to download it separately, as it comes bundled by default. You can find it at the location `/opt/microsoft/mdatp/conf/client_analyzer/`.
 - Other stability enhancements and bug fixes.
 
 ### July-2025 Build: 101.25052.0007 | Release version: 30.125052.0007.0

defender-endpoint/mac-install-manually.md

@@ -44,9 +44,10 @@ Before you get started, see [the main Microsoft Defender for Endpoint on macOS p
 
 > [!IMPORTANT]
 > Manual installation of Microsoft Defender for Endpoint on macOS requires changes to the Privacy & Security Settings on macOS.  Please consult Apple's documentation for details.  
-> [Change Privacy & Security settings on MacOS Sonoma 14](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/14.0/mac/14.0)
-> [Change Privacy & Security settings on MacOS Sequoia 15](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/15.0/mac/15.0)
-> 
+> - [Change Privacy & Security settings on MacOS Sonoma 14](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/14.0/mac/14.0)
+> -  [Change Privacy & Security settings on MacOS Sequoia 15](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/15.0/mac/15.0)
+> - [Change Privacy & Security settings on MacOS Tahoe 26](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/mac)
+
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender portal.

defender-endpoint/mac-whatsnew.md

@@ -59,14 +59,6 @@ To get the latest features, including preview capabilities (such as endpoint det
 
 If an end user encounters a prompt for Defender for Endpoint on macOS processes such as `wdavdaemon_enterprise` or `Microsoft Defender Helper`, the end user can safely choose the **Deny** option. This selection doesn't affect Defender for Endpoint's functionality.  Enterprises can also add *Microsoft Defender* to allow [incoming connections](https://support.apple.com/en-ca/guide/deployment/dep8d306275f/web). This issue is fixed in macOS Sequoia 15.2.
 
-## Tahoe support
-
-- Microsoft Defender for Endpoint supports version 26.0 or newer.
-
-## Sequoia support
-
-- Microsoft Defender for Endpoint supports version 15.0.1 or newer.
-
 ## macOS Deprecation
 
 - Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur), 12 (Monterey) and 13 (Ventura)

defender-endpoint/microsoft-defender-passive-mode.md

@@ -26,8 +26,6 @@ Some of the key benefits of Defender Antivirus in passive mode are:
 
 * **EDR Block mode** - Post-breach protection by detecting and remediating threats missed by the active antimalware solution
 
-* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
-
 * **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats.
 
 * **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.

defender-endpoint/respond-machine-alerts.md

@@ -103,19 +103,19 @@ Or, use this alternate procedure:
 
    ![Image of collect investigation package](media/collect-investigation-package.png)
 
-2. Add comments and then select **Confirm**.
+1. Add comments and then select **Confirm**.
 
    ![Image of confirm comment](media/comments-confirm.png)
 
-3. Select **Action center** from the response actions section of the device page.
+1. Select **Action center** from the response actions section of the device page.
 
    ![Image of action center](media/action-center-selected.png)
 
-4. Select **Package collection package available** to download the collection package.
+1. Select **Package collection package available** to download the collection package.
 
    ![Image of download package](media/download-package.png)
-
-   > [!NOTE]
+   
+      > [!NOTE]
    > The collection of the investigation package may fail if a device has a low battery level or is on a metered connection.
    
 ### Investigation package contents for Windows devices
@@ -216,7 +216,8 @@ Depending on the severity of the attack and the sensitivity of the device, you m
 - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](mde-linux-prerequisites.md). Ensure that the following prerequisites are enabled:
    - `iptables`
    - `ip6tables`
-   - Linux kernel with `CONFIG_NETFILTER`, `CONFID_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER`
+   - Linux kernel with `CONFIG_NETFILTER`, `CONFIG_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER` for kernel version lower than 5.x and `CONFIG_NETFILTER_XT_MATCH_OWNER` from 5.x kernel.
+    
 - Selective isolation is available for devices running on Windows 11, Windows 10 version 1703 or later, Windows Server 2012 R2 and later, Azure Stack HCI OS, version 23H2 and later, and macOS. For more information about selective isolation, see [Isolation exclusions](./isolation-exclusions.md).
 - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
 - The feature supports VPN connection.

defender-for-cloud-apps/discovery-docker-ubuntu.md

@@ -15,7 +15,7 @@ You can configure automatic log upload for continuous reports in Defender for Cl
 
 |Specification  |Description  |
 |---------|---------|
-|**Operating system**     |  One of the following:  <li>Ubuntu 14.04, 16.04, 18.04 and 20.04 <li>CentOS 7.2 or higher       |
+|**Operating system**     |  One of the following:  <li>Ubuntu 20.04 and 22.04 <li>CentOS 7.2 or higher       |
 |**Disk space**     |  250 GB       |
 |**CPU cores**     |    2     |
 |**CPU Architecture**     |   Intel 64 and AMD 64      |

defender-for-cloud-apps/troubleshooting-cloud-discovery.md

@@ -41,7 +41,7 @@ You can track the processing of cloud discovery logs using the governance log. T
 |----|----|
 |Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you're using isn't set to SFTP (Secure File Transfer Protocol).  |
 |Failed updating collector configuration | 1. Verify that you entered the latest access token. <br />2. Verify in your firewall that the log collector is allowed to initiate outbound traffic on port 443.|
-|Logs sent to the collector don't appear in the portal | 1. Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Data source page, verify that the name of data source is **NSS** and that it's configured correctly. <br />&nbsp;&nbsp;&nbsp;&nbsp;b. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP, or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
+|Logs sent to the collector don't appear in the portal | 1. Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP, or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
 |Log collector status: Created | The log collector deployment wasn't completed. Complete the on-premises deployment steps according to the deployment guide.|
 |Log collector status: Disconnected | If you see this issue, it means no data has been received in the last 24 hours from any of the linked data sources. Contact Microsoft Defender for Cloud Apps support and provide the log files for investigation. Our team analyzes the logs to identify when the last sync occurred and what caused the disconnection. |
 |Failed pulling latest collector image| If you get this error during Docker deployment, it could be that you don't have enough memory on the host. To check this, run this command on the host: `docker pull mcr.microsoft.com/mcas/logcollector`. If it returns this error: `failed to register layer: Error processing tar file(exist status 1): write /opt/jdk/jdk1.8.0_152/src.zip: no space left on device` contact your host machine administrator to provide more space.|

defender-for-identity/deploy/prerequisites-sensor-version-3.md

@@ -34,7 +34,6 @@ For more information, see [Licensing and privacy FAQs](/defender-for-identity/te
 - You must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following [Unified RBAC](../role-groups.md#unified-role-based-access-control-rbac) permissions:
     - `System settings (Read and manage)`
     - `Security setting (All permissions)`
-- We recommend using at least one Directory Service account, with read access to all objects in the monitored domains. For more information, see [Configure a Directory Service account for Microsoft Defender for Identity](directory-service-accounts.md).
 
 ## Sensor requirements and recommendations
 
@@ -49,6 +48,7 @@ The following table summarizes the server requirements and recommendations for t
 |Connectivity|Requires a Microsoft Defender for Endpoint deployment. If Microsoft Defender for Endpoint is installed on the domain controller, there are no additional connectivity requirements.   |
 |Server time synchronization|The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.|
 |ExpressRoute|This version of the sensor doesn't support ExpressRoute. If your environment uses ExpressRoute,  we recommend [deploying the Defender for Identity sensor v2.x](install-sensor.md).|
+|Identity and response actions|The sensor doesn't require credentials to be provided in the portal. Even if credentials are entered, the sensor uses the **Local System identity** on the server to query Active Directory and perform response actions. If a **Group Managed Service Account (gMSA)** is configured for response actions, the response actions are disabled. |
 
 ### Dynamic memory requirements
 

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -39,6 +39,7 @@ The following tables present the relevant vulnerability information organized by
 |---|---|---|
 | - | Added MDVM support for Zoom vulnerability- CVE-2025-49457 | 03-September-25 |
 | - | Added MDVM support for 8 Tableau Server vulnerabilities- CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454 and CVE-2025-52455 | 09-September-25 |
+| - | Defender Vulnerability Management has completely rolled back support for Microsoft Visual C++ | 18-September-25 |
 
 ## August 2025
 
@@ -52,7 +53,6 @@ The following tables present the relevant vulnerability information organized by
 | 103856 | Fixed bad normalization in McAfee Network Security Manager | 05-August-25 |
 | 109441 | Fixed bad normalization in AlmaLinux Perl | 05-August-25 |
 | 97670 | Fixed inaccurate detections of VMware Tools by excluding invalid paths - "/vmware blast/", "/remote experience/" | 19-August-25 |
-| - | Added MDVM support for Microsoft Visual C++ vulnerabilities- CVE-2009-0901, CVE-2009-2493, CVE-2010-3190, CVE-2024-43590 | 20-August-25 |
 | 112007 | Fixed inaccuracy in Gimp vulnerability- CVE-2025-8672 | 21-August-25 |
 | 109858 | Fixed inaccuracy in Microsoft SQL Server Management Studio vulnerability- CVE-2025-29803 | 21-August-25 |
 | - | Updated CPE detection logic for Cisco Identity Services Engine | 26-August-25 |