Merge branch 'public' into patch-1

Author: denisebmsft

ATPDocs/deploy/configure-windows-event-collection.md

@@ -235,15 +235,16 @@ To configure domain object auditing:
 
         Now, all relevant changes to directory services appear as 4662 events when they're triggered.
 
-1. Repeat the steps in this procedure, but for **Applies to**, select the following object types:
+1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
-   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects** <sup>2</sup>
 
 > [!NOTE]
-> Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 1. Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 2. The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
 
 ## Configure auditing on AD FS
 

ATPDocs/identity-inventory.md

@@ -110,7 +110,7 @@ Sort option applies to Display name, Domain, and Created time columns.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 
-At the top of each device inventory tab, the following device counts are available:
+At the top of the page, the following identities counts are available:
 
 - __Total__: The total number of identities. 
 
@@ -120,7 +120,7 @@ At the top of each device inventory tab, the following device counts are availab
 
 - **Services:** The number of all service accounts both on-premises and cloud.
 
-You can use this information to help you prioritize devices for security posture improvements.
+You can use this information to help you prioritize identities for security posture improvements.
 
 ### Navigate to the Identity inventory page
 

ATPDocs/ops-guide/ops-guide.md

@@ -13,7 +13,7 @@ This article summarizes the Microsoft Defender for Identity activities we recomm
 
 |Cadence  |Tasks  |
 |---------|---------|
-|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br> - [Investigate users with a high investigation score](ops-guide-daily.md#investigate-users-with-a-high-investigation-score) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
+|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
 |**Weekly**     |- [Review Secure score recommendations](ops-guide-weekly.md#review-secure-score-recommendations) <br>  - [Review and respond to emerging threats](ops-guide-weekly.md#review-and-respond-to-emerging-threats) <br>- [Proactively hunt](ops-guide-weekly.md#proactively-hunt)   |
 |**Monthly**     | - [Review tuned alerts and adjust tuning if needed](ops-guide-monthly.md#review-tuned-alerts-and-adjust-tuning-if-needed) <br> - [Track new changes in Microsoft Defender XDR and Defender for Identity](ops-guide-monthly.md#track-new-changes-in-microsoft-defender-xdr-and-defender-for-identity)     |
 | **Quarterly / Ad hoc** <br>Depending on your organization's needs and processes | - [Review Microsoft service health](ops-guide-quarterly.md#review-microsoft-service-health) <br> - [Review server setup process to include sensors](ops-guide-quarterly.md#review-server-setup-process-to-include-sensors) <br>- [Check domain configuration via PowerShell](ops-guide-quarterly.md#check-domain-configuration-via-powershell) |

CloudAppSecurityDocs/governance-actions.md

@@ -83,8 +83,7 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
-> [!NOTE]
-> These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
+These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
  - Security Operator
  - Security administrator
  - Global administrator

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 06/06/2025
+ms.date: 06/30/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,19 +43,20 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
-### June-2025 Build: 101.25042.0002 | Release version: 30.125042.0002.0
+### June-2025 Build: 101.25042.0003 | Release version: 30.125042.0003.0
 
-|Build:             |**101.25042.0002**    |
+|Build:             |**101.25042.0003**    |
 |-------------------|----------------------|
-|Released:          |**June 4, 2025**      |
-|Published:         |**June 4, 2025**      |
-|Release version:   |**30.125042.0002.0**  |
+|Released:          |**June 30, 2025**      |
+|Published:         |**June 30, 2025**      |
+|Release version:   |**30.125042.0003.0**  |
 |Engine version:    |**1.1.25020.4000**    |
 |Signature version: |**1.427.370.0**       |
 
 What's new
-
-- Removed external dependency of uuid-runtime from MDE package
+- The Defender for Endpoint package rollout into production happens gradually. From the time the release notes are published, it might take up to a week for the package to be pushed to all production machines.
+- Removed external dependency of uuid-runtime from the Defender for Endpoint package
+- Other stability improvements and bug fixes
 
 ### May-2025 Build: 101.25032.0010 | Release version: 30.125032.0010.0
 

defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md

@@ -81,7 +81,7 @@ Each source has typical scenarios that depend on how your network is configured,
 |---|---|
 |Windows Server Update Service|You're using Windows Server Update Service to manage updates for your network.|
 |Microsoft Update|You want your endpoints to connect directly to Microsoft Update. This option is useful for endpoints that irregularly connect to your enterprise network, or if you don't use Windows Server Update Service to manage your updates.|
-|File share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments.|
+|UNC Share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments. Platform updates can also be deployed using this method. |
 |Microsoft Endpoint Configuration Manager|You're using Microsoft Endpoint Configuration Manager to update your endpoints.|
 |Security intelligence updates and platform updates for Microsoft Defender Antivirus and other Microsoft anti-malware (formerly referred to as MMPC)|[Make sure devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence and platform updates are delivered through Windows Update. As of October 21, 2019, security intelligence updates and platform updates are SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should be used only as a final fallback source, and not the primary source. It's only to be used if updates can't be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](manage-outdated-endpoints-microsoft-defender-antivirus.md#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
 
@@ -274,6 +274,32 @@ On a Windows File Server set up a network file share (UNC/mapped drive) to downl
     > [!NOTE]
     > Do not add the x64 (or x86) folder in the path. The `mpcmdrun.exe` process adds it automatically.
 
+## Enable platform updates using UNC share
+
+To enable platform updates using UNC share, download KB4052623 and copy it into the architecture folders as `updateplatform.exe`. These files are updated monthly and need to get manually updated by you.
+
+KB4052623 is available for the following architectures:
+
+* [x86](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x86)
+
+* [amd64](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x64)
+
+* [arm64](https://go.microsoft.com/fwlink/?LinkID=851034&clcid=0x409&arch=arm64) 
+
+**Example structure**
+
+```dos
+[UNC Share]\ 
+    x86\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+    x64\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+```
+
 ## Related articles
 
 - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -71,6 +71,7 @@ You can manage the distribution of updates through one of the following methods:
 - [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
 - [Microsoft Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
 - The usual methods you use to deploy Microsoft and Windows updates to endpoints in your network.
+- UNC Share
 
 For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 

unified-secops-platform/TOC.yml

@@ -104,6 +104,9 @@
               href: mto-advanced-hunting.md
             - name: Multitenant devices
               href: mto-tenant-devices.md
+            - name: Multitenant identities
+              href: multitenant-identities-inventory.md
+              displayName: MTO
             - name: Vulnerability management
               href: mto-dashboard.md
             - name: Manage tenants