Merge branch 'poliveria-entraid-10072025' of https://github.com/MicrosoftDocs/defender-docs-pr into poliveria-entraid-10072025

Author: poliveria

.github/workflows/AutoLabelAssign.yml

@@ -30,11 +30,11 @@ jobs:
         with:
             PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
             AutoAssignUsers: 1
-            AutoAssignReviewers: 1
+            AutoAssignReviewers: 0
             AutoLabel: 1
             ExcludedUserList: '["user1", "user2"]'
             ExcludedBranchList: '["branch1", "branch2"]'
         secrets:
             AccessToken: ${{ secrets.GITHUB_TOKEN }}
             PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
-            ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+            ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

.openpublishing.redirection.defender-endpoint.json

@@ -159,6 +159,11 @@
       "source_path": "defender-endpoint/mde-linux-arm.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",
       "redirect_document_id": false
-    } 
+    }, 
+    {
+      "source_path": "defender-endpoint/contact-support.md",
+      "redirect_url": "/defender-xdr/contact-defender-support",
+      "redirect_document_id": false
+    },
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -215,6 +215,16 @@
       "redirect_url": "/unified-secops-platform/mto-dashboard",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/configure-deception.md",
+      "redirect_url": "/defender-xdr/automatic-attack-disruption",
+      "redirect_document_id": false
+    },
+  {
+      "source_path": "defender-xdr/deception-overview.md",
+      "redirect_url": "/defender-xdr/automatic-attack-disruption",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/mto-endpoint-security-policy.md",
       "redirect_url": "/unified-secops-platform/mto-endpoint-security-policy",

advanced-threat-analytics/docfx.json

@@ -42,7 +42,7 @@
     "globalMetadata": {
       "feedback_system": "Standard",
       "author": "AbbyMSFT",
-      "manager": "AbbyMSFT",
+      "manager": "abbyweisberg",
       "ms.author": "abbyweisberg",
       "feedback_github_repo": "MicrosoftDocs/atadocs",
       "feedback_product_url": "https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection",

defender-business/mdb-get-started.md

@@ -19,6 +19,7 @@ ms.collection:
 - tier1
 - essentials-get-started
 ms.custom: intro-get-started
+#customer intent: As a Defender for Business admin, I need quick guidance to navigate the Microsoft Defender portal and find first steps so I can get started securing devices and email.
 ---
 
 # Visit the Microsoft Defender portal

defender-endpoint/TOC.yml

@@ -126,15 +126,13 @@
             - name: Step 2 - Configure device proxy and Internet settings
               href: configure-proxy-internet.md
             - name: Step 3 - Verify client connectivity to service URLs
-              href: verify-connectivity.md
-            
-        - name: Streamlined connectivity
-          items:
-            - name: Onboarding devices using streamlined method
-              href: configure-device-connectivity.md
-            - name: Migrating devices to streamlined method
+              href: verify-connectivity.md        
+            - name: Onboard devices using streamlined method
+              href: configure-device-connectivity.md            
+            - name: Migrate devices to streamlined method
               href: migrate-devices-streamlined.md
-
+            - name: Enable access to service URLs - US government            
+              href: streamlined-device-connectivity-urls-gov.md                       
         - name: Onboard client devices
           items:
           - name: Onboard client devices running Windows or macOS
@@ -285,6 +283,8 @@
                 href: linux-deploy-defender-for-endpoint-using-golden-images.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+              - name: Deployment guidance for Defender for Endpoint on Linux for SAP
+                href: mde-linux-deployment-on-sap.md
           - name: Configure Defender for Endpoint on Linux
             items:
             - name: Configure security policies and settings

defender-endpoint/access-mssp-portal.md

@@ -22,8 +22,6 @@ appliesto:
 # Access the Microsoft Defender XDR MSSP customer portal
 
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
-
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

defender-endpoint/admin-submissions-mde.md

@@ -20,8 +20,6 @@ ms.custom: FPFN
 
 # Submit files in Microsoft Defender for Endpoint
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
-
 
 In Microsoft Defender for Endpoint, admins can use the unified submissions feature to submit files and file hashes (SHAs) to Microsoft for review. The unified submissions experience is a one-stop shop for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. Admins can use the Microsoft Defender portal or the Microsoft Defender for Endpoint Alert page to submit suspicious files.
 

defender-endpoint/advanced-features.md

@@ -2,8 +2,8 @@
 title: Configure advanced features in Microsoft Defender for Endpoint
 description: Turn on advanced features such as block file in Microsoft Defender for Endpoint.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: yongrhee
 ms.localizationpriority: medium
 manager: bagol
@@ -14,17 +14,14 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 02/25/2025
+ms.date: 10/31/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # Configure advanced features in Defender for Endpoint
 
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
-
-
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
 
 ## Enable advanced features
@@ -168,9 +165,9 @@ For more information about role assignments, see [Create and manage roles](user-
 
 Enabling this feature allows you to run unsigned scripts in a live response session.
 
-## Deception
+## Automatic attack disruption
 
-Deception enables your security team to manage and deploy lures and decoys to catch attackers in your environment. After you turn this on, go to Rules > Deception rules to run deception campaigns. See [Manage the deception capability in Microsoft Defender XDR](/defender-xdr/deception-overview).
+Automatic attack disruption disrupts attacks by automatically containing compromised assets that the attacker is using. It limits lateral movement early on, thereby reducing the overall impact of an attack, both on the associated costs and on  loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online. For more information, see [Automatic attack disruption in Microsoft Defender XDR](/defender-xdr/automatic-attack-disruption).
 
 ## Share endpoint alerts with Microsoft Compliance Center
 

defender-endpoint/aggregated-reporting.md

@@ -12,14 +12,13 @@ ms.collection:
 - tier3
 ms.topic: article
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 10/20/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 ---
 
 # Aggregated reporting in Microsoft Defender for Endpoint
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 Aggregated reporting addresses constraints on event reporting in Microsoft Defender for Endpoint. Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties.
 
@@ -33,13 +32,16 @@ When aggregated reporting is turned on, you can query for a summary of all suppo
 
 The following requirements must be met before turning on aggregated reporting:
 
-- Defender for Endpoint Plan 2 license
 - Permissions to enable advanced features
 
-Aggregated reporting supports the following:
 
-- Client version: Windows version 24H and later
-- Operating systems: Windows 11 (22H2, Enterprise), Windows 10 (20H2, 21H1, 21H2), Windows Server 2019 and later, Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+### Supported operating systems: 
+
+  - Windows 10 (20H2, 21H1, 21H2)
+  - Windows 11 (22H2, Enterprise)
+  - Windows Server 2019 and later
+  - Windows Server version 20H2 or Azure Stack HCI OS, version 23H2 and later
+  - Client version: Windows version 24H and later
 
 ## Turn on aggregated reporting
 
@@ -77,9 +79,9 @@ To query new data with aggregated reports:
 3. When necessary, create new custom rules to incorporate new action types.
 4. Go to the **Advanced Hunting** page and query the new data.
 
-Here is an example of advanced hunting query results with aggregated reports.
+   Here is an example of advanced hunting query results with aggregated reports.
 
-:::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
+   :::image type="content" source="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports-small.png" alt-text="Screenshot of advanced hunting query results with aggregated reports." lightbox="/defender-endpoint/media/reports/aggregated-reporting/sample-results-aggregated-reports.png":::
 
 ## Sample advanced hunting queries
 
@@ -125,4 +127,4 @@ DeviceNetworkEvents
 | where uniqueEventsAggregated > 10
 | project-reorder ActionType, Timestamp, uniqueEventsAggregated 
 | sort by uniqueEventsAggregated desc
-```
+```