Merge branch 'main' into poliveria-entraid-10072025

Author: poliveria

defender-endpoint/TOC.yml

@@ -1,4 +1,4 @@
-- name: Microsoft Defender for Endpoint
+- name: Microsoft Defender for Endpoint
   href: index.yml
   expanded: true
   items:
@@ -512,6 +512,8 @@
             href: run-analyzer-linux.md
           - name: Run the client analyzer on macOS
             href: run-analyzer-macos.md
+          - name: Diagnose issues with Client Analyzer
+            href: use-client-analyzer.md        
           - name: Data collection for advanced troubleshooting on Windows
             href: data-collection-analyzer.md
           - name: Understand the analyzer HTML report

defender-endpoint/linux-install-manually.md

@@ -490,7 +490,7 @@ Download the onboarding package from the [Microsoft Defender portal](https://sec
 
    1. Look at the alert details, machine timeline, and perform your typical investigation steps.
 
-## Defender for Endpoint package external package dependencies
+## External package dependencies
 
 For information, see [Prerequisites for Microsoft Defender for Endpoint on Linux: External package dependency](./mde-linux-prerequisites.md#external-package-dependency).
 

defender-endpoint/respond-file-alerts.md

@@ -310,14 +310,14 @@ You can also submit a sample through the [Microsoft Defender portal](https://www
     - **Devices list** - select the file links from the **Description** or **Details** in the **Device in organization** section
     - **Search box** - select **File** from the drop-down menu and enter the file name
 
-2. In the **Deep analysis** tab of the file view, select **Submit**.
+1. In the **Deep analysis** tab of the file view, select **Submit**.
 
-   :::image type="content" source="media/submit-file.png" alt-text="The submit PE files button" lightbox="media/submit-file.png":::
+      :::image type="content" source="media/submit-file.png" alt-text="The submit PE files button" lightbox="media/submit-file.png":::
 
    > [!NOTE]
-   > Only PE files are supported, including _.exe_ and _.dll_ files.
-
-   A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+   > Only PE files are supported, including _.exe_ and _.dll_ files. Additionally, Windows App Store Executables are unsupported.
+   
+      A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
 
 > [!NOTE]
 > Depending on device availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device (or Windows 11 or Windows Server 2012 R2+) reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.

defender-endpoint/use-client-analyzer.md

@@ -0,0 +1,57 @@
+---
+title: Diagnose Defender for Endpoint issues with Client Analyzer
+ms.topic: conceptual
+description: Understand how to Diagnose Defender for Endpoint issues with Client Analyzer so that you can send the right data to Microsoft support for troubleshooting.
+ms.service: defender-endpoint
+author: KesemSharabi
+ms.author: kesharab
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- mde-ngp
+ms.subservice: ngp
+search.appverid: met150
+ms.date: 10/28/2025
+---
+
+# Diagnose issues with Client Analyzer
+
+When you troubleshoot Microsoft Defender for Endpoint, collecting diagnostic data is crucial for problem resolution. Different issues such as performance, connectivity and detection-related concerns, require different telemetry. As a security expert investigating these issues, you can use the [Client Analyzer](overview-client-analyzer.md) tool to gather data about your organization's Defender for Endpoint issues. With this data, you can troubleshoot your organization's Defender for Endpoint issues, and if needed [work with Microsoft support](contact-support.md) to resolve them
+
+This article lists different types of issues and how to collect data for them using the Client Analyzer tool. The tool's flags are listed in [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md).
+
+## Categorize your issue
+
+Use the categories listed in the table to identify the type of issue you're experiencing. [Run the Client Analyzer tool](#run-the-client-analyzer-tool) with the appropriate flags when collecting data.
+
+|Issue  |Description and examples  |Flags  |
+|---------|---------|---------|
+|Issues that can't be reproduced     |Issues that occur sporadically or are triggered by automated processes and can't be reproduced. This includes problems related to scheduled tasks such as automatic updates and scans, and Attack Surface Reduction (ASR) rules triggered unpredictably.         | Run without flags         |
+|Performance issues that can be reproduced     |Includes high CPU usage, memory consumption problems, and slow response times.         |`-a` and `-v`         |
+|General     |On-demand scans, manual updates, sense portal and alert issues, Attack Surface Reduction (ASR) issues that can be triggered on command, and app compatibility problems.         |`-e` and `-v`         |
+|Hanging systems     |Unresponsive systems and freezes. Require advanced debugging techniques including memory dumps and crash analysis.         |`-z`         |
+|Compatibility     |Issues with third-party applications, other security solutions, system software, performance problems, and functional issues.         |`-c`, `-e` and `-v`         |
+|Controlled Folder Access (CFA)    |Include blocked applications, unexpected access permissions, and issues related to protected folders configuration.         |Reproducible: `-cfa`, `-e` and `-v`</br>Nonreproducible: `-cfa`         |
+|Data Loss Prevention (DLP)     |Include policy enforcement problems, content detection false positives and negatives, and DLP client health and connectivity issues.         |Reproducible: `-e`, `-t` and `-v`</br>Nonreproducible: `-t`          |
+|Indicator     |Include problems with URLs, domains, IP addresses, files, and certificates that aren't enforced as expected.         |URL, IP, domain in first-party browser: `-a`, `-i` and `-v`</br>File indicator: `-v`          |
+|Web Content Filtering (WCF)    |Unenforced WCF policy when accessing web content using first and third party browsers.         |`-a`, `-i` and `-v`         |
+|Network protection     |Network protection doesn't trigger configured policies when URLs, domains, and IPs are accessed through third-party browsers.        |`-i` and `-v`         |
+
+## Run the Client Analyzer tool
+
+Follow the steps in this section to collect data for the issues you've identified. Use the appropriate flags when needed. If you have scenarios that involve both working and nonworking conditions, collect separate log packages for each scenario and clearly label each collection. The comparison helps identify the differences that cause the performance issue.
+
+1. Start log collection running:
+
+    ```powershell
+    
+    MDEClientAnalyzer.cmd
+    
+    ```
+
+    If you used a flag that includes a timespan, such as `-a`, `-e`, or `-v`, you're asked to specify the duration of the log collection.
+
+2. Once the log collection starts, reproduce the issue so that the issue's data is captured while the logs are being collected.
+
+3. To stop the log collection press Press `q`.

defender-xdr/create-custom-rbac-roles.md

@@ -145,7 +145,7 @@ To access and manage roles and permissions, without being a Global Administrator
 
 ## Configure scoped roles for Microsoft Defender for Identity
 
-Scoped access for Microsoft Defender for Identity (MDI) is currently in **Public preview**. You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (URBAC) model. This allows you to restrict access and visibility to specific Active Directory domains, helping align with team responsibilities and reduce unnecessary data exposure.
+You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (URBAC) model for identities managed by Microsoft Defender for Identity (MDI). This allows you to restrict access and visibility to specific Active Directory domains or Organizational units, helping align with team responsibilities and reduce unnecessary data exposure.
 
 For more information, see: [Configure scoped access for Microsoft Defender for Identity](/defender-for-identity/configure-scoped-access).
 

defender-xdr/threat-analytics.md

@@ -109,9 +109,11 @@ Categories are presented at the top of the threat analytics page. Counters show
 
 To add report filter types in your dashboard, select **Filters**, choose from the list, and select **Add**.
 
+:::image type="content" source="/defender/media/threat-analytics/ta-taglist-mtp.png" alt-text="Screenshot of the threat analytics Add filters option." lightbox="/defender/media/threat-analytics/ta-taglist-mtp.png":::
+
 To set the types of reports you want in the list based on the available filters, select a filter type (for example, **Threat tags**), choose from the list, and select **Apply**.
 
-:::image type="content" source="/defender/media/threat-analytics/ta-threattag-filters-mtp.png" alt-text="Screenshot of the Filters list." lightbox="/defender/media/threat-analytics/ta-threattag-filters-mtp.png":::
+:::image type="content" source="/defender/media/threat-analytics/ta-threattag-filters-mtp.png" alt-text="Screenshot of the Filters list in Threat tags." lightbox="/defender/media/threat-analytics/ta-threattag-filters-mtp.png":::
 
 ## View a threat analytics report