Merge branch 'main' into docs-editor/android-whatsnew-1763444189

Author: paulinbar

.openpublishing.redirection.defender-endpoint.json

@@ -20,11 +20,6 @@
       "redirect_url": "/defender-endpoint/evaluate-mdav-using-gp",
       "redirect_document_id": false
     },
-    {
-      "source_path": "defender-endpoint/linux-install-with-activator.md",
-      "redirect_url": "/defender-endpoint/linux-custom-location-installation",
-      "redirect_document_id": false
-    },
     {
       "source_path": "defender-endpoint/preview.md",
       "redirect_url": "/defender-xdr/preview",
@@ -155,6 +150,11 @@
       "redirect_url": "/defender-endpoint/onboard-server",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-endpoint/linux-install-with-activator.md",
+      "redirect_url": "/defender-endpoint/linux-install-with-defender-deployment-tool",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-endpoint/mde-linux-arm.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",

defender-endpoint/TOC.yml

@@ -135,6 +135,8 @@
               href: streamlined-device-connectivity-urls-gov.md                       
         - name: Onboard client devices
           items:
+          - name: Onboard Windows devices using the Defender deployment tool
+            href: defender-deployment-tool-windows.md
           - name: Onboard client devices running Windows or macOS
             href: onboard-client.md
           - name: Defender for Endpoint plug-in for WSL
@@ -174,6 +176,7 @@
             href: mde-linux-deployment-on-sap.md
           - name: Use custom detection rules to protect SAPXPG
             href: mde-sap-custom-detection-rules.md
+
         - name: Defender for Endpoint on macOS
           items:
           - name: Deploy Defender for Endpoint on macOS
@@ -267,6 +270,8 @@
               items:
               - name: Enabling deployment to a custom location
                 href: linux-custom-location-installation.md
+              - name: Deployment tool based deployment
+                href: linux-install-with-defender-deployment-tool.md
               - name: Installer script based deployment
                 href: linux-installer-script.md
               - name: Ansible based deployment
@@ -625,6 +630,12 @@
         href: exclude-devices.md
       - name: Identifying transient devices
         href: transient-device-tagging.md
+      - name: Collect custom device data
+        items:
+        - name: Overview
+          href: custom-data-collection.md
+        - name: Create custom data collection rules
+          href: create-custom-data-collection-rules.md
       - name: Internet facing devices
         href: internet-facing-devices.md
       - name: Device timeline
@@ -1062,6 +1073,10 @@
             href: respond-machine-alerts.md#contain-devices-from-the-network
           - name: Contain user from the network
             href: respond-machine-alerts.md#contain-user-from-the-network
+          - name: Automatically apply GPO hardening (predictive shielding)
+            href: respond-machine-alerts.md#gpo-hardening
+          - name: Automatically apply Safeboot hardening (predictive shielding)
+            href: respond-machine-alerts.md#safeboot-hardening                     
           - name: Consult a threat expert
             href: respond-machine-alerts.md#consult-a-threat-expert
           - name: Check activity details in Action center
@@ -1098,10 +1113,7 @@
           href: live-response-command-examples.md
 
       - name: Use sensitivity labels to prioritize incident response
-        href: information-protection-investigation.md
-
-    - name: Advanced hunting
-      href: /defender-xdr/advanced-hunting-overview?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+        href: information-protection-investigation.md    
 
     - name: Threat analytics
       items:

defender-endpoint/configure-endpoints-gp.md

@@ -2,8 +2,8 @@
 title: Onboard Windows Servers to Microsoft Defender for Endpoint via Group Policy
 description: Use Group Policy to deploy the configuration package on Windows devices so that they're onboarded to the service.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -12,7 +12,7 @@ ms.collection:
 - tier1
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 10/13/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 search.appverid: met150
 appliesto:
@@ -23,6 +23,8 @@ appliesto:
 
 # Onboard Windows devices using Group Policy 
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Prerequisites
 
 - To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.

defender-endpoint/configure-endpoints-mdm.md

@@ -2,8 +2,8 @@
 title: Onboard Windows devices to Defender for Endpoint using Intune 
 description: Use Microsoft Intune to deploy the configuration package on devices so that they're onboarded to the Defender for Endpoint service.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -14,14 +14,15 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 10/31/2024
+ms.date: 11/17/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # Onboard Windows devices to Defender for Endpoint using Intune 
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
 
 You can use mobile device management (MDM) solutions to configure Windows 10 devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices.
 

defender-endpoint/configure-endpoints-sccm.md

@@ -12,14 +12,13 @@ ms.collection:
 - tier1
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 10/27/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 search.appverid: met150
 ---
 
 # Onboard Windows devices using Configuration Manager
 
-
 You can use Configuration Manager to onboard endpoints to the Microsoft Defender for Endpoint service. 
 
 There are several options you can use to onboard devices using Configuration Manager:
@@ -32,6 +31,7 @@ There are several options you can use to onboard devices using Configuration Man
 
 You can create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager reattempts to onboard the device until the rule detects the status change. For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
 
 ## Prerequisites
 

defender-endpoint/configure-endpoints-script.md

@@ -3,8 +3,8 @@ title: Onboard Windows Servers using a local script
 description: Use a local script to deploy the configuration package on devices to enable onboarding of the devices to the service.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: pahuijbr
 ms.localizationpriority: medium
 manager: bagol
@@ -15,22 +15,23 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
-ms.date: 04/16/2025
+ms.date: 11/17/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # Onboard Windows devices using a local script
 
-
 You can also manually onboard individual devices to Defender for Endpoint. You might want to onboard some devices when you're testing the service before you commit to onboarding all devices in your network.
 
 > [!IMPORTANT]
 > The script described in this article is recommended for manually onboarding devices to Defender for Endpoint. It should only be used on a limited number of devices. If you're deploying to a production environment, see [other deployment options](onboard-client.md), such as Intune, Group Policy, or Configuration Manager.
 
 Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Onboard devices
 
 1. Open the configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):

defender-endpoint/configure-endpoints-vdi.md

@@ -3,8 +3,8 @@ title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
 description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they're onboarded to Microsoft Defender for Endpoint service.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: pahuijbr; yonghree
 ms.localizationpriority: medium
 manager: bagol
@@ -14,18 +14,15 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 03/11/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
-
-
-
 
+# Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
 
 Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduces costs, as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser. 
 
@@ -34,6 +31,8 @@ Like any other system in an IT environment, VDI devices should have an endpoint
 > [!NOTE]
 > **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information, see [Onboarding Windows client](onboard-client.md).
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices
 
 Defender for Endpoint supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario:

defender-endpoint/create-custom-data-collection-rules.md

@@ -0,0 +1,115 @@
+---
+title: Create and manage custom data collection rules in Microsoft Defender for Endpoint
+description: Learn how to create and manage custom data collection rules in Microsoft Defender for Endpoint to enhance your threat hunting capabilities.
+ms.service: defender-endpoint
+f1.keywords: 
+  - NOCSH
+ms.author: lwainstein
+author: limwainstein
+ms.localizationpriority: medium
+manager: bagol
+audience: ITPro
+ms.collection: 
+  - m365-security
+  - tier1
+  - usx-security
+ms.topic: how-to
+search.appverid: 
+  - MOE150
+  - MET150
+ms.date: 11/12/2025
+appliesto:
+  - Microsoft Defender for Endpoint
+---
+
+# Create and manage custom data collection rules in Microsoft Defender for Endpoint (Preview)
+
+[!INCLUDE [Prerelease information](../includes/prerelease.md)]
+
+[Custom data collection (Preview)](custom-data-collection.md) enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs.
+
+Custom data collection rules allow you to define specific events and analyze the data to enhance your security visibility and threat hunting operations. Custom data collection rules are based on tailored filters for event properties such as folder paths, process names, and network connections.
+
+This article shows you how to create and manage custom data collection rules in the Microsoft Defender portal.
+
+## Create custom data collection rules
+
+### Prerequisites
+
+To use custom data collection, check that you have the following prerequisites:
+
+- A Microsoft Defender for Endpoint P2 license.
+- A connected [Microsoft Sentinel workspace](/azure/sentinel/quickstart-onboard): required for custom data storage and querying. You can currently only connect one Sentinel workspace per Defender for Endpoint tenant for custom data collection.
+- Dynamic tags configured in [Asset Rule Management](/defender-xdr/configure-asset-rules) for device targeting. To use a tag for custom data collection, the tag should be run at least once.
+
+### Supported operating systems
+
+- **Windows 10 and 11** with a minimum Defender for Endpoint client version of 10.8805.
+    - Windows 10 requires enrollment in [Extended Security Updates (ESU) program](/windows/whats-new/extended-security-updates).
+
+### Performance and limits
+
+- Each collection rule can capture up to 25,000 events per device within a 24-hour rolling window. Once the device reaches the limit, telemetry for the specific rule on the specific device stops until the window resets.
+    - If the device reaches the threshold early in the cycle, it can take up to 24 hours for telemetry to resume. For example, if the device reaches the limit one hour after the window resets, telemetry resumes after 23 hours.
+    - If the device reaches the threshold near the end of the window, the delay is shorter. For example, if the device reaches the limit two hours before the window resets, telemetry resumes after two hours.
+- Rule deployment typically takes 20 minutes to one hour.
+- Custom collection operates alongside default Defender for Endpoint configuration without interference.
+
+### Data costs
+
+Custom data collection is included with Microsoft Defender for Endpoint P2 licensing. However, data ingestion into Microsoft Sentinel workspaces incurs charges based on your Sentinel billing arrangement.
+
+### Create rules
+
+1. In the Microsoft Defender portal, navigate to **Settings** > **Endpoints** > **Rules** > **Custom Data Collection**.
+
+    :::image type="content" source="media/custom-data-collection/custom-data-collection-main-view.png" alt-text="Screenshot of the main Custom Data Collection page." lightbox="media/custom-data-collection/custom-data-collection-main-view.png":::
+
+1. To switch your Microsoft Sentinel workspace, select the workspace name on the top right, and select the workspace.
+1. Select **Create rule**. In the **General Information** section, type a rule name and description, and select **Next**.
+
+    :::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule-general.png" alt-text="Screenshot of creating a rule: General Information page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule-general.png":::
+
+1. In the **Create rule** section:
+
+    1. Select which table you want to collect data from. For more information, see [Supported event tables](custom-data-collection.md#supported-event-tables).
+    1. Select the action for which you want to collect data.
+    1. Add rule conditions to filter the data even further. You can add multiple conditions to refine the data collection. Rule conditions are based on the selected table. For more information, see the respective table link under [Supported event tables](custom-data-collection.md#supported-event-tables).
+
+    :::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule.png" alt-text="Screenshot of creating a rule: Create rule page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule.png":::
+   
+1. Select **Next**.
+
+1. In the **Define rule scope** section, select whether you want to collect data from all applicable client devices or from specific devices that include dynamic tags. For more information, see [Create dynamic rules for devices in asset rule management](/defender-xdr/configure-asset-rules).
+
+    :::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule-define-scope.png" alt-text="Screenshot of creating a rule: Define scope page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule-define-scope.png":::
+
+    > [!NOTE]
+    > Custom data collection only supports dynamic tags.
+
+1. In the **Review and finish** section, review your rule settings, and select **Submit**.
+
+    :::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule-review.png" alt-text="Screenshot of creating a rule: Review and finish page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule-review.png":::
+
+It can take up to an hour for the rule to be deployed to the targeted devices.
+
+## Monitor and troubleshoot
+
+If rules aren't working as expected:
+
+- Create a broad rule to collect events in an unexpected use case. For example, create a rule that collects all network events where `port not equals 0`.
+- Apply individual filters and tags to isolate issues.
+- If a device isn't responding after you enable the feature, reboot the device.
+
+Review these considerations when monitoring and troubleshooting custom data collection rules:
+
+- Endpoint detection and response (EDR) exclusions may override custom collection rules.
+- Dynamic tags update approximately every hour. Check the **Custom collection** > **Last run time** column for the status.
+
+## Edit, delete, and enable or disable custom data collection rules
+
+- To edit a rule, navigate to **Settings** > **Endpoints** > **Rules** > **Custom Collection**, select the rule you want to edit, and select **Edit**.
+- To disable or enable a rule, select the rule you want to modify, and select or clear the **Enable** check-box under the rule description. When you disable a rule,data collection for that rule stops on all targeted devices.
+- To delete a rule, select the rule you want to delete, and select **Delete**. When you delete a rule, the rule is permanently removed from the system.
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]