MicrosoftDocs
diff --git a/‎ATPDocs/deploy/remote-calls-sam.md‎
Lines changed: 4 additions & 0 deletions b/‎ATPDocs/deploy/remote-calls-sam.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 9 additions & 6 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 2 additions & 2 deletions b/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 29 additions & 27 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 29 additions & 27 deletions
diff --git a/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 6 additions & 4 deletions b/‎defender-endpoint/attack-surface-reduction.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎defender-endpoint/behavioral-blocking-containment.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/behavioral-blocking-containment.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/client-behavioral-blocking.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/client-behavioral-blocking.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md‎
Lines changed: 14 additions & 14 deletions b/‎defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md‎
Lines changed: 14 additions & 14 deletions
diff --git a/‎defender-endpoint/configure-device-connectivity.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/configure-device-connectivity.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/configure-proxy-internet.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/configure-proxy-internet.md‎
Lines changed: 3 additions & 3 deletions
@@ -7,6 +7,10 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
+> [!IMPORTANT]
+> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025.
+> 
+
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]
 
@@ -22,6 +22,15 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## May 2025
+
+### Local administrators collection (using SAM-R queries) feature will be disabled
+Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored.
+
+### New Health Issue
+
+New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
+
 ## April 2025
 
 ### Privileged Identity Tag Now Visible in Defender for Identity Inventory
@@ -47,7 +56,6 @@ For more information, see: [Integrations Defender for Identity and PAM services.
 
 ### New Service Account Discovery page
 
-
 Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you  centralized visibility into service accounts across your Active Directory environment.
 
 This update provides:
@@ -60,11 +68,6 @@ This update provides:
 
 For more information, see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md).
 
-
-### New Health Issue
-
-New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
-
 ### Enhanced Identity Inventory
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  
 
@@ -64,14 +64,14 @@ Use this detection to control file uploads and downloads in real time with sessi
 
 By enabling file sandboxing, files that according to their metadata and based on proprietary heuristics to be potentially risky, will also be sandbox scanned in a safe environment. The Sandbox scan may detect files that were not detected based on threat intelligence sources.
 
-Defender for Cloud Apps supports malware detection for the following apps:
+Defender for Cloud Apps supports "File Sandboxing" malware detection for the following apps:
 
 * Box
 * Dropbox
 * Google Workspace
 
 > [!NOTE]
->* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself.
+>* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). **In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself**.
 > * In *Box*, *Dropbox*, and *Google Workspace*, Defender for Cloud Apps doesn't automatically block the file, but blocking may be performed according to the app's capabilities and the app's configuration set by the customer.
 > * If you're unsure about whether a detected file is truly malware or a false positive, go to the Microsoft Security Intelligence page at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission) and submit the file for further analysis.
 
 
@@ -5,33 +5,33 @@
   - name: Zero Trust with Defender for Endpoint
     href: zero-trust-with-microsoft-defender-endpoint.md
   - name: Overview
-    items: 
-    - name: Defender for Endpoint on Windows
-      href: microsoft-defender-endpoint.md
-    - name: Defender for Endpoint on macOS
-      href: microsoft-defender-endpoint-mac.md
-    - name: Defender for Endpoint on Linux
-      href: microsoft-defender-endpoint-linux.md
-    - name: Defender for Endpoint on Android
-      href: microsoft-defender-endpoint-android.md
-    - name: Defender for Endpoint on iOS
-      href: microsoft-defender-endpoint-ios.md
-    - name: Defender for Endpoint for US Government customers
-      href: gov.md
-    - name: Defender for Endpoint Plan 1
-      items:
-      - name: Overview of Defender for Endpoint Plan 1
-        href: defender-endpoint-plan-1.md
-      - name: Setup and configuration
-        href: mde-p1-setup-configuration.md
-      - name: Get started
-        href: mde-plan1-getting-started.md
-    - name: Minimum requirements
-      href: minimum-requirements.md
-    - name: Supported Defender for Endpoint capabilities by platform
-      href: supported-capabilities-by-platform.md
-    - name: Antivirus solution compatibility with Defender for Endpoint
-      href: defender-compatibility.md
+    items:
+    - name: What is Microsoft Defender for Endpoint?
+      items: 
+      - name: Defender for Endpoint on Windows
+        href: microsoft-defender-endpoint.md
+      - name: Defender for Endpoint on macOS
+        href: microsoft-defender-endpoint-mac.md
+      - name: Defender for Endpoint on Linux
+        href: microsoft-defender-endpoint-linux.md
+      - name: Defender for Endpoint on Android
+        href: microsoft-defender-endpoint-android.md
+      - name: Defender for Endpoint on iOS
+        href: microsoft-defender-endpoint-ios.md
+      - name: Defender for Endpoint for US Government customers
+        href: gov.md
+      - name: Supported Defender for Endpoint capabilities by platform
+        href: supported-capabilities-by-platform.md
+      - name: Antivirus solution compatibility with Defender for Endpoint
+        href: defender-compatibility.md
+      - name: Defender for Endpoint Plan 1
+        items:
+        - name: Overview of Defender for Endpoint Plan 1
+          href: defender-endpoint-plan-1.md
+        - name: Setup and configuration
+          href: mde-p1-setup-configuration.md
+        - name: Get started
+          href: mde-plan1-getting-started.md
     - name: What's new in Defender for Endpoint
       href: whats-new-in-microsoft-defender-endpoint.md
       items: 
@@ -176,6 +176,8 @@
           items:
           - name: Deploy Defender for Endpoint on macOS
             items:
+            - name: Microsoft Defender for Endpoint Prerequisites on macOS
+              href: microsoft-defender-endpoint-mac-prerequisites.md
             - name: Deployment with Microsoft Intune
               href: mac-install-with-intune.md
             - name: JAMF Pro-based deployment
 
@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.subservice: asr
 ms.localizationpriority: medium
 audience: ITPro
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.reviewer: sugamar
 manager: deniseb
 ms.custom: admindeeplinkDEFENDER
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 03/28/2025
+ms.date: 05/09/2025
 ---
 
 # Attack surface reduction rules overview
@@ -98,7 +98,7 @@ Also, make sure [Microsoft Defender Antivirus and anti-malware updates](/windows
 - Minimum platform release requirement: `4.18.2008.9`
 - Minimum engine release requirement: `1.1.17400.5`
 
-For more information and to get your updates, see [Update for Microsoft Defender anti-malware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
+For more information and to get your updates, see [Update for Microsoft Defender anti-malware platform](/defender-endpoint/microsoft-defender-antivirus-updates).
 
 ### Cases where warn mode isn't supported
 
@@ -134,6 +134,8 @@ You can set attack surface reduction rules for devices that are running any of t
 
 - Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 11 Pro, version 21H2 or later
+- Windows 11 Enterprise, version 21H2 or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - Windows Server 2025
 - [Windows Server 2022](/windows-server/get-started/whats-new-in-windows-server-2022) 
 
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 03/29/2025
+ms.date: 04/25/2025
 ---
 
 # Behavioral blocking and containment
 
@@ -17,7 +17,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 07/22/2024
+ms.date: 04/25/2025
 ---
 
 # Client behavioral blocking
 
@@ -1,6 +1,6 @@
 ---
-title: Configure the Microsoft Defender Antivirus cloud block timeout period
-description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
+title: Configure the Microsoft Defender Antivirus cloud block time-out period
+description: You can configure how long Microsoft Defender Antivirus blocks a file from running while waiting for a cloud determination.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
 author: emmwalshh
@@ -18,7 +18,7 @@ ms.collection:
 search.appverid: met150
 ---
 
-# Configure the cloud block timeout period
+# Configure the cloud block time out period
 
 **Applies to:**
 - [Microsoft Defender XDR](/defender-xdr)
@@ -33,15 +33,15 @@ search.appverid: met150
 
 When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](cloud-protection-microsoft-defender-antivirus.md).
 
-The default period that the file is [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
+The default period that the file is [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block time out period can help ensure there's enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
 
-## Prerequisites to use the extended cloud block timeout
+## Prerequisites to use the extended cloud block time out
 
-[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
+[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended time out period.
 
-## Specify the extended timeout period using Microsoft Defender for Endpoint Security settings management
+## Specify the extended time out period using Microsoft Defender for Endpoint Security settings management
 
-To specify the cloud block timeout period with Microsoft Defender for Endpoint Security settings management:
+To specify the cloud block time out period with Microsoft Defender for Endpoint Security settings management:
 
 1. Go to the Microsoft Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 2. Select **Endpoints** > **Configuration management** > **Endpoint security policies**.
@@ -50,29 +50,29 @@ To specify the cloud block timeout period with Microsoft Defender for Endpoint S
 5. Under **Select Template** choose: "Microsoft Defender Antivirus".
 6. Select **Create policy**.
 7. Enter a name and description and select **Next**.
-8. From the **Defender** dropdown go to **Cloud Extended Timeout** and toggle it on.
+8. From the Defender dropdown, go to **Cloud Extended Timeout** and toggle it on.
 9. Specify the extended time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
 10. Select **Next** and **Save** to finish configuring your policy.
 
-## Specify the extended timeout period using Microsoft Intune
+## Specify the extended time out period using Microsoft Intune
 
-You can specify the cloud block timeout period with an [endpoint security policy in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).
+You can specify the cloud block time out period with an [endpoint security policy in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).
 
 1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) and sign in.
 
 2. Select **Endpoint security**, and then under **Manage**, choose **Antivirus**.
 
 3. Select (or create) an antivirus policy.
 
-4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the timeout, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
+4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the time out, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
 
 5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)
 
 6. Choose **Next**, and finish configuring your policy.
 
-## Specify the extended timeout period using Group Policy
+## Specify the extended time out period using Group Policy
 
-You can use Group Policy to specify an extended timeout for cloud checks.
+You can use Group Policy to specify an extended time out for cloud checks.
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11))
 
 
@@ -1,8 +1,8 @@
 ---
 title: Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
 description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint.         
-author: denisebmsft
-ms.author: deniseb 
+author: emmwalshh
+ms.author: ewalsh 
 manager: deniseb 
 ms.topic: how-to
 ms.service: defender-endpoint
 
@@ -3,8 +3,8 @@ title: Configure your devices to connect to the Defender for Endpoint service us
 description: Learn how to configure your devices to enable communication with the cloud service using a proxy.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -39,7 +39,7 @@ Depending on the operating system, the proxy to be used for Microsoft Defender f
 
 - For Windows devices, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) (in this article).
 - For Linux devices, see [Configure Microsoft Defender for Endpoint on Linux for static proxy discovery](linux-static-proxy-configuration.md).
-- For macOS devices, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md#network-connections).
+- For macOS devices, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac-prerequisites.md#network-connectivity).
 
 The Defender for Endpoint sensor requires Microsoft Windows HTTP (`WinHTTP`) to report sensor data and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor runs in system context using the `LocalSystem` account.