Merge branch 'public' into public

Author: JackStuart

.openpublishing.redirection.defender-endpoint.json

@@ -82,8 +82,8 @@
     },
     {
       "source_path": "defender-endpoint/linux-support-rhel.md",
-      "redirect_url": "/defender-endpoint/comprehensive-guidance-on-linux-deployment",
-      "redirect_document_id": true
+      "redirect_url": "/defender-endpoint/linux-installer-script",
+      "redirect_document_id": false
     },
     {
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
@@ -105,10 +105,20 @@
       "redirect_url": "/defender-endpoint/overview-client-analyzer",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-endpoint/schedule-antivirus-scan-in-mde.md",
+      "redirect_url": "/defender-endpoint/schedule-antivirus-scan-anacron",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-endpoint/comprehensive-guidance-on-linux-deployment.md",
       "redirect_url": "/defender-endpoint/linux-installer-script",
       "redirect_document_id": true
-    }    
+    },
+    {
+      "source_path": "defender-endpoint/linux-schedule-scan-mde.md",
+      "redirect_url": "/defender-endpoint/schedule-antivirus-scan-crontab",
+      "redirect_document_id": true
+    } 
   ]
 }

ATPDocs/architecture.md

@@ -12,7 +12,7 @@ Microsoft Defender for Identity monitors your domain controllers by capturing an
 
 The following image shows how Defender for Identity is layered over Microsoft Defender XDR, and works together with other Microsoft services and third-party identity providers to monitor traffic coming in from domain controllers and Active Directory servers.
 
-:::image type="content" source="media/architecture/architecture.png" alt-text="Diagram of the Defender for Identity architecture." border="false":::
+:::image type="content" source="media\diagram-of-the-defender-for-identity-architecture.png" alt-text="Diagram of the Defender for Identity architecture." border="false":::
 
 Installed directly on your domain controller, Active Directory Federation Services (AD FS), or Active Directory Certificate Services (AD CS) servers, the Defender for Identity sensor accesses the event logs it requires directly from the servers. After the logs and network traffic are parsed by the sensor, Defender for Identity sends only the parsed information to the Defender for Identity cloud service.
 

ATPDocs/investigate-assets.md

@@ -63,9 +63,10 @@ When you investigate a specific identity, you'll see the following details on an
 |[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |     Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
 
 > [!NOTE]
-> **Investigation Priority Score** has been deprecated on December 3, 2025. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+> **Investigation Priority Score** has been deprecated on December 3, 2024. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+
+
 
-  
 For more information, see [Investigate users](/microsoft-365/security/defender/investigate-users) in the Microsoft Defender XDR documentation.
 
 ## Investigation steps for suspicious groups

ATPDocs/media/diagram-of-the-defender-for-identity-architecture.png

@@ -2,7 +2,7 @@
 title: 'Security assessment: Remove Resource Based Constrained Delegation for Microsoft Entra seamless SSO account'
 description: This article describes Microsoft Defender for Identity's Microsoft Entra Seamless Single sign-on (SSO) account with Resource Based Constrained Delegation (RBCD) applied security posture assessment report.
 author: RonitLitinsky
-ms.author: t-rlitinsky
+ms.author: rlitinsky
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     08/22/2024

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png

@@ -0,0 +1,49 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security assessment: Remove unsafe permissions on sensitive Microsoft Entra Connect accounts'
+description: This report lists any sensitive AD DS Connector (MSOL_) accounts or Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) with unsafe permissions.
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Remove unsafe permissions on sensitive Entra Connect accounts
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect accounts unsafe permissions security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services and Sign on method as part of Microsoft Entra Connect configuration is set to single sign-on and the SSO computer account exists. Learn more about Microsoft Entra seamless sign-on **[here](/entra/identity/hybrid/connect/how-to-connect-sso)**.
+
+## How can unsafe permissions on Microsoft Entra Connect accounts expose your hybrid identity to risk?
+
+Microsoft Entra Connect accounts like AD DS Connector account (also known as MSOL_) and Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) have powerful privileges, including replication and password reset rights. If these accounts are granted unsafe permissions, attackers could exploit them to gain unauthorized access, escalate privileges, or take control of hybrid identity infrastructure. This could lead to account takeovers, unauthorized directory modifications, and a broader compromise of both on-premises and cloud environments.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove unsafe permissions on sensitive Entra Connect accounts.
+
+1. Review the list of exposed entities to identify accounts with unsafe permissions. For example:
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png" alt-text="Screenshot of exposed entities" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png":::
+
+1. If you click on "Click to expend" you can find more details about the granted permissions. For example:  
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png" alt-text="Screenshot of excessive permissions" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png":::
+
+1. For each exposed account, remove problematic permissions that allow unprivileged accounts to takeover critical hybrid assets.
+
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+
+- [Learn more about Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png

@@ -172,6 +172,9 @@ items:
          displayName: Microsoft Entra Connect
        - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
          href: remove-replication-permissions-microsoft-entra-connect.md
+       - name: Remove unsafe permissions on sensitive Entra Connect accounts
+         href: remove-unsafe-permissions-sensitive-entra-connect.md
+         displayName: MDI
        - name: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
          href: replace-entra-connect-default-admin.md
      - name: Identity infrastructure

ATPDocs/remove-rbcd-microsoft-entra-seamless-single-sign-on-account.md

@@ -24,6 +24,10 @@ For updates about versions and features released six months ago or earlier, see
 
 ## March 2025
 
+### New Health Issue
+
+New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
+
 ### Enhanced Identity Inventory (Preview)
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.