Merge branch 'public' into patch-2

Author: PaleSkinnySwede

.openpublishing.redirection.ata-atp.json

@@ -15,6 +15,21 @@
       "redirect_url": "deploy/active-directory-federation-services",
       "redirect_document_id": false
     },
+    {
+      "source_path": "ATPDocs/deploy/quick-installation-guide.md",
+      "redirect_url": "deploy/deploy-defender-identity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/deploy/prerequisites.md",
+      "redirect_url": "deploy/prerequisites-sensor-version-2",
+      "redirect_document_id": false
+    },
+        {
+      "source_path": "ATPDocs/deploy/activate-capabilities.md",
+      "redirect_url": "deploy/activate-sensor",
+      "redirect_document_id": false
+    },
     {
       "source_path": "ATPDocs/configure-event-collection.md",
       "redirect_url": "deploy/configure-event-collection",

ATPDocs/deploy/activate-capabilities.md

@@ -0,0 +1,76 @@
+---
+title: Activate the Defender for Identity sensor v3.x on a domain controller 
+description: Learn about how to activate the Microsoft Defender for Identity sensor on domain controllers.
+ms.date: 06/30/2025
+ms.topic: how-to
+ms.reviewer: rlitinsky
+---
+
+# Activate the Defender for Identity sensor v3.x on a domain controller (Preview)
+
+For complete protection of your on-premises deployment, we recommend activating the Defender for Identity sensor on all applicable servers. This article describes onboarding for new domain controllers running Windows Server 2019 or later. For domain controllers running older operating systems, we recommend [deploying the classic Defender for Identity sensor](install-sensor.md).
+
+## Prerequisites
+See [Microsoft Defender for Identity sensor v3.x prerequisites](prerequisites-sensor-version-3.md) for all system requirements before proceeding with activating the sensor.
+
+## The Activation page
+
+The **Activation** page displays all servers from your device inventory. Defender for Identity detects all of your servers and their configuration. The server's activation state lets you know what you need to do to onboard the domain controller to Defender for Identity.
+
+You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, by selecting specific domain controllers from the list of eligible servers.
+
+   [![Screenshot that shows the Defender for Identity sensor activation page.](media/activate-capabilities/activation-page.png)](media/activate-capabilities/activation-page.png#lightbox)
+
+|Activation State  |Next steps  |
+|---------|---------|
+|Activate new sensor |The domain controller is already onboarded to Defender for Endpoint. [Activate the sensor](#activate-the-defender-for-identity-sensor).|
+|Install classic sensor|[Deploy the classic Defender for Identity sensor](install-sensor.md) from the **Sensors page**.|
+|OS update is required     |This domain controller is running an unsupported operating system version for the new sensor. Update the server to Windows Server 2019 or later to use the new sensor. |
+
+<!--|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|-->
+
+<!--## The Activation process
+The process for activating the sensor depends on your configuration.
+- If you have a Defender for Endpoint deployment, simply [activate the sensor](#activate-the-defender-for-identity-sensor).
+- If the domain controller is not onboarded to Defender for Endpoint, [onboard the domain controller](#onboard-the-domain-controller) by configuring Defender for Endpoint streamlined URLs, and then downloading and running the onboarding package.-->
+
+## Activate the Defender for Identity sensor
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Activation**.
+1. Select the domain controller where you want to activate Defender for Identity, and select **Activate**. Confirm your selection when prompted. 
+
+   [![Screenshot that shows how to activate the new sensor.](media/activate-capabilities/activate.png)](media/activate-capabilities/activate.png#lightbox)
+
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers**. This takes you to the **Sensors** page, where you can check your sensor health.
+
+    [![Screenshot that shows how to see the onboarded servers.](media/activate-capabilities/successfully-activated.png)](media/activate-capabilities/successfully-activated.png#lightbox)
+
+<!--## Onboard the domain controller 
+
+If the domain controller has not been onboarded to Defender for Endpoint for Servers, follow these steps to activate the sensor.
+
+1. [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) using [streamlined URLs](/microsoft-365/security/defender-endpoint/configure-device-connectivity#option-1-configure-connectivity-using-the-simplified-domain).
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Activation**.
+1. Select **Download onboarding package**, and save the file in a location you can access from your domain controller.
+
+   [![Screenshot that shows how to onboard the new sensor.](media/activate-capabilities/download-on-boarding.png)](media/activate-capabilities/download-on-boarding.png#lightbox)
+   
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal.
+1. Run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an administrator.
+
+   [![screenshot that shows the onboarding script.](media/activate-capabilities/screenshot-2025-06-04-170500.png)](media/activate-capabilities/screenshot-2025-06-04-170500.png#lightbox)
+
+!-->
+
+## Confirm sensor activation 
+
+To confirm the sensor is working: 
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Sensors**.
+1. Check that the activated domain controller is listed. 
+
+> [!NOTE]
+> The first time you activate the Defender for Identity sensor on your domain controller, it might take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes. The activation doesn't require a restart/reboot. 
+
+## Next steps
+- [Manage and update Microsoft Defender for Identity sensors](../sensor-settings.md).

ATPDocs/deploy/activate-sensor.md

@@ -18,7 +18,7 @@ These considerations apply:
 
 ## Prerequisites
 
-Prerequisites for installing Defender for Identity sensors on AD FS, AD CS, or Microsoft Entra Connect servers are the same as for installing sensors on domain controllers. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites.md).
+Prerequisites for installing Defender for Identity sensors on AD FS, AD CS, or Microsoft Entra Connect servers are the same as for installing sensors on domain controllers. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md).
 
 A sensor installed on an AD FS, AD CS, or Microsoft Entra Connect server can't use the local service account to connect to the domain. Instead, you need to configure a [Directory Service Account](directory-service-accounts.md).
 
@@ -188,5 +188,5 @@ To validate that you successfully deployed a Defender for Identity sensor on an
 
 For more information, see:
 
-- [Microsoft Defender for Identity prerequisites](prerequisites.md)
+- [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md)
 - [Install the Microsoft Defender for Identity sensor](install-sensor.md)

ATPDocs/deploy/active-directory-federation-services.md

@@ -10,9 +10,9 @@ ms.reviewer: rlitinsky
 
 This article describes how to use the Microsoft Defender for Identity sizing tool to determine whether your domain controller servers have enough resources for a Microsoft Defender for Identity sensor.
 
-While domain controller performance may not be affected if the server doesn't have required resources, the Defender for Identity sensor may not operate as expected. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites.md).
+While domain controller performance may not be affected if the server doesn't have required resources, the Defender for Identity sensor may not operate as expected. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md).
 
-The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS / Entra Connect servers, as the performance impact on these servers is extremely minimal to not existent.
+The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against servers that are only AD FS, AD CS, or Entra Connect (unless those servers also function as a domain controller), as the performance impact on these servers is extremely minimal to not existent.
 
 > [!TIP]
 > By default, Defender for Identity supports up to 350 sensors. To install more sensors, contact Defender for Identity support.
@@ -22,7 +22,7 @@ The sizing tool measures the capacity needed for domain controllers only. There
 
 - Download the [Defender for Identity sizing tool](<https://aka.ms/mdi/sizingtool>).
 - Review the [Defender for Identity architecture](../architecture.md) article.
-- Review the [Defender for Identity prerequisites](prerequisites.md) article.
+- Review the [Defender for Identity prerequisites](prerequisites-sensor-version-2.md) article.
 
 To ensure accurate results, only run the sizing tool *before* you've installed any Defender for Identity sensors in your environment.
 
@@ -120,6 +120,10 @@ Various tools can help you discover the average packet/second counter for your d
 > [!NOTE]
 > By default, Defender for Identity supports up to 350 sensors. If you want to install more sensors, contact Defender for Identity support.
 
+> [!IMPORTANT]
+> If your domain controller runs low on available memory, a corresponding health issue will appear in the Defender for Identity portal to alert you of this condition. Learn more about [health issues](../health-alerts.md).
+
+
 ## Next step
 
 

ATPDocs/deploy/capacity-planning.md

@@ -1,27 +1,27 @@
 ---
-title: Verify connectivity to the Defender for Identity service | Microsoft Defender for Identity
+title: Connect to the Defender for Identity service | Microsoft Defender for Identity
 description: Learn how to set up your firewall or proxy to allow communication between the Microsoft Defender for Identity cloud service and Microsoft Defender for Identity sensors.
 ms.date: 02/12/2024
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Configure endpoint proxy and internet connectivity settings
+# Connect to the Defender for Identity service
 
 Each Microsoft Defender for Identity sensor requires internet connectivity to the Defender for Identity cloud service to report sensor data and operate successfully.
 
 In some organizations, the domain controllers aren't directly connected to the internet, but are connected through a web proxy connection, and SSL inspection and intercepting proxies are not supported for security reasons. In such cases, your proxy server must allow the data to directly pass from the Defender for Identity sensors to the relevant URLs without interception.
 
 > [!IMPORTANT]
 > Microsoft does not provide a proxy server. This article describes how to ensure that the required URLs are accessible via a proxy server that you configure.
->
 
 ## Enable access to Defender for Identity service URLs in the proxy server
 
 To ensure maximal security and data privacy, Defender for Identity uses certificate-based, mutual authentication between each Defender for Identity sensor and the Defender for Identity cloud back-end. SSL inspection and interception are not supported, as they interfere in the authentication process.
 
 To enable access to Defender for Identity, make sure to allow traffic to the sensor URL, using the following syntax: `<your-workspace-name>sensorapi.atp.azure.com`. For example, `contoso-corpsensorapi.atp.azure.com`.
 
+- To get your workspace name, see the [About page](https://security.microsoft.com/settings/identities) in the portal.
 - If your proxy or firewall uses explicit allowlists, we also recommend ensuring that the following URLs are allowed:
 
     - `crl.microsoft.com`
@@ -128,13 +128,6 @@ To configure your proxy, copy your proxy configuration in user context to the **
 
     Make sure to paste the value from the `Current_User`'s `DefaultConnectionSettings` registry key as `REG_BINARY`.
 
-## Related content
-
-For more information, see:
-
-- [Run a silent installation with a proxy configuration](install-sensor.md#command-for-running-a-silent-installation-with-a-proxy-configuration)
-- [Test Microsoft Defender for Identity connectivity](test-connectivity.md)
-
 ## Next step
 
 > [!div class="step-by-step"]

ATPDocs/deploy/configure-proxy.md

@@ -59,7 +59,7 @@ After the Defender for Identity sensor is installed, do the following to view an
     |Name  |Description  |
     |---------|---------|
     |**Description**     |  Optional. Enter a description for the Defender for Identity sensor.       |
-    |**Domain Controllers (FQDN)**     |  Required for the Defender for Identity [standalone sensors](prerequisites-standalone.md) and [sensors installed on AD FS / AD CS servers](active-directory-federation-services.md), and cannot be modified for the Defender for Identity sensor.   <br><br>Enter the complete FQDN of your domain controller and select the plus sign to add it to the list. For example,  **DC1.domain1.test.local**. <br><br>For any servers you define in the **Domain Controllers** list: <br><br> - All domain controllers whose traffic is being monitored via port mirroring by the Defender for Identity standalone sensor must be listed in the **Domain Controllers** list. If a domain controller isn't listed in the **Domain Controllers** list, detection of suspicious activities might not function as expected. <br><br> - At least one domain controller in the list should be a global catalog. This enables Defender for Identity to resolve computer and user objects in other domains in the forest. |
+    |**Domain Controllers (FQDN)**     |  Required for the Defender for Identity [standalone sensors](prerequisites-standalone.md) and [sensors installed on AD FS / AD CS servers](active-directory-federation-services.md), and can't be modified for the Defender for Identity sensor.   <br><br>Enter the complete FQDN of your domain controller and select the plus sign to add it to the list. For example,  **DC1.domain1.test.local**. <br><br>For any servers you define in the **Domain Controllers** list: <br><br> - All domain controllers whose traffic is being monitored via port mirroring by the Defender for Identity standalone sensor must be listed in the **Domain Controllers** list. If a domain controller isn't listed in the **Domain Controllers** list, detection of suspicious activities might not function as expected. <br><br> - At least one domain controller in the list should be a global catalog. This enables Defender for Identity to resolve computer and user objects in other domains in the forest. |
     |**Capture Network adapters**     | Required.      <br><br>  - For Defender for Identity sensors, all network adapters that are used for communication with other computers in your organization.<br><br>      - For Defender for Identity standalone sensor on a dedicated server, select the network adapters that are configured as the destination mirror port. These network adapters receive the mirrored domain controller traffic.      |
 
 1. On the **Sensors** page, select **Export** to export a list of your sensors to a **.csv** file. For example:
@@ -71,11 +71,9 @@ After the Defender for Identity sensor is installed, do the following to view an
 Use the following procedures to validate your Defender for Identity sensor installation.
 
 > [!NOTE]
-> If you're installing on an AD FS or AD CS server, you'll use a different set of validations. For more information, see [Validate successful deployment on AD FS / AD CS servers](active-directory-federation-services.md#validate-successful-deployment).
+> If you're installing on an AD FS or AD CS server, you use a different set of validations. For more information, see [Validate successful deployment on AD FS / AD CS servers](active-directory-federation-services.md#validate-successful-deployment).
 >
 
-
-
 ### Validate successful deployment
 
 To validate that the Defender for Identity sensor has been successfully deployed: