MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 41 additions & 24 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 41 additions & 24 deletions
diff --git a/‎ATPDocs/index.yml‎
Lines changed: 0 additions & 2 deletions b/‎ATPDocs/index.yml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎ATPDocs/microsoft-365-security-center-mdi.md‎
Lines changed: 0 additions & 3 deletions b/‎ATPDocs/microsoft-365-security-center-mdi.md‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎ATPDocs/whats-new-archive.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/whats-new-archive.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 8 additions & 0 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎CloudAppSecurityDocs/app-activity-threat-hunting.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-activity-threat-hunting.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-app-policies-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-app-policies-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-detect-remediate-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-detect-remediate-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-get-started.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-get-started.md‎
Lines changed: 1 addition & 1 deletion
@@ -37,12 +37,6 @@ Direct Defender for Identity capabilities are supported on domain controllers on
 >
 > This issue is addressed in the out-of-band update [KB5037422](https://support.microsoft.com/en-gb/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3).
 
-### Defender for Endpoint onboarding
-
-Your domain controller must be onboarded to Microsoft Defender for Endpoint.
-
-For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
-
 ### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
@@ -55,12 +49,6 @@ For more information, see:
 - [Unified role-based access control RBAC](../role-groups.md#unified-role-based-access-control-rbac)
 - [Create a role to access and manage roles and permissions](/microsoft-365/security/defender/create-custom-rbac-roles#create-a-role-to-access-and-manage-roles-and-permissions)
 
-### Connectivity requirements
-
-Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
-
-For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-
 ## Configure Windows auditing
 
 Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
@@ -78,42 +66,58 @@ For example, the following command defines all settings for the domain, creates
 Set-MDIConfiguration -Mode Domain -Configuration All
 ```
 
-## Activate Defender for Identity capabilities
+## Onboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
 
-After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
+### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
+    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
     :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Connectivity requirements
+
+Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
+
+For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+### Onboard Defender for Identity capabilities 
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**
+2. Select Download onboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
+   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
-1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
-> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
 
 ## Test activated capabilities
 
-The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations show within five minutes.
-
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
@@ -163,7 +167,6 @@ IdentityQueryEvents
 
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
-
 ## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
@@ -214,17 +217,31 @@ Test remediation actions on a test user. For example:
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
-## Deactivate Defender for Identity capabilities on your domain controller
+## Offboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
+
+### Deactivate Defender for Identity capabilities on your domain controller 
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+1. Navigate to **Settings** > **Identities** > **Sensors**
 2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
     :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Offboard Defender for Identity capabilities on your domain controller 
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+
+1. Navigate to **Settings** > **Identities** > **Activation**
+2. Select Download offboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
 ## Next steps
 
 For more information, see [Manage and update Microsoft Defender for Identity sensors](../sensor-settings.md).
@@ -9,8 +9,6 @@ metadata:
   ms.service: microsoft-defender-for-identity
   ms.topic: landing-page
   ms.collection: M365-security-compliance
-  author: batamig
-  ms.author: bagol
   ms.date: 09/23/2019
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
@@ -6,9 +6,6 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 f1.keywords:
 - NOCSH
-ms.author: bagol
-author: batamig
-manager: raynew
 ms.date: 02/14/2024
 audience: ITPro
 ms.topic: concept-article
 
@@ -904,7 +904,7 @@ We are expanding our sensitivity definition for on-premises accounts to include
 
 Released June 14, 2020
 
-- **Feature enhancement: Additional activity details available in the unified SecOps experience**  
+- **Feature enhancement: Additional activity details available**  
 We've extended the device information we send to Defender for Cloud Apps including device names, IP addresses, account UPNs and used port. For more information about our integration with Defender for Cloud Apps, see [Using Azure ATP with Defender for Cloud Apps](/defender-for-identity/deploy-defender-identity).
 
 - Version includes improvements and bug fixes for internal sensor infrastructure.
 
@@ -24,6 +24,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## May 2025
 
+###  Expanded New Sensor Deployment Support for Domain Controllers (Preview)
+Defender for Identity now supports deploying its new sensor on Domain Controllers without requiring Defender for Endpoint onboarding. This simplifies sensor activation and expands deployment flexibility. [Learn more](deploy/activate-capabilities.md).
+
+
+### Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page
+The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify non-eligible servers and take action to update and onboard them for enhanced identity protection.
+
+
 ### Local administrators collection (using SAM-R queries) feature will be disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
 
 
@@ -1,6 +1,6 @@
 ---
 title: Hunt for threats in app activities | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 05/23/2025
 ms.topic: how-to
 description: Learn how app governance in Microsoft Defender for Cloud Apps helps you hunt for resources accessed and activities carried out by apps in your environment.
 ---
 
@@ -1,6 +1,6 @@
 ---
 title: Investigate app governance threat detection alerts | Microsoft Defender for Cloud Apps
-ms.date: 02/12/2023
+ms.date: 05/23/2025
 ms.topic: conceptual
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 description: Learn how to investigate threat detection alerts from app governance in Microsoft Defender XDR with Microsoft Defender for Cloud Apps.
 
@@ -1,6 +1,6 @@
 ---
 title: Learn about app policies with app governance | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 05/23/2025
 ms.topic: overview
 description: Learn about app governance policies with Microsoft Defender for Cloud Apps in Microsoft Defender XDR.
 ---
 
@@ -1,6 +1,6 @@
 ---
 title: Learn about app governance threat detection and remediation  | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 05/23/2025
 ms.topic: conceptual
 description: Learn about app threat detection and remediation. With app governance in Microsoft Defender XDR with Microsoft Defender for Cloud Apps.
 ---
 
@@ -1,6 +1,6 @@
 ---
 title: Turn on app governance in Microsoft Defender for Cloud Apps
-ms.date: 04/11/2024
+ms.date: 05/23/2025
 ms.topic: how-to
 description: Get started with app governance capabilities to govern your apps in  Microsoft Defender for Cloud Apps.
 ---