Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into automatic-windows-auditing

Author: AbbyMSFT

defender-business/mdb-whats-new.md

@@ -52,7 +52,7 @@ This article lists new features in the latest releases of Microsoft Defender for
 
 - **Streaming API (preview) is now available for Defender for Business**. For partners or customers looking to build their own security operations center, the Defender for Endpoint streaming API is now in preview for Defender for Business. The API supports streaming of device file, registry, network, sign-in events and more to Azure Event Hub, Azure Storage, and Microsoft Sentinel to support advanced hunting and attack detection. See [Use the streaming API (preview) with Microsoft Defender for Business](mdb-streaming-api.md).
 
-- **Managed detection and response integration with Blackpoint Cyber**. This solution is ideal for customers who don't have the resources to invest in an in-house security operations center and for partners who want to augment their IT team with security experts to investigate, triage, and remediate the alerts generated by Defender for Business. [Learn more bout Blackpoint Cyber](https://aka.ms/BlackpointMSFT).
+- **Managed detection and response integration with Blackpoint Cyber**. This solution is ideal for customers who don't have the resources to invest in an in-house security operations center and for partners who want to augment their IT team with security experts to investigate, triage, and remediate the alerts generated by Defender for Business. [Learn more about Blackpoint Cyber](https://aka.ms/BlackpointMSFT).
 
 - **Customizable security baselines and configuration drift reports in Microsoft 365 Lighthouse**. For Microsoft Managed Service Providers (MSPs), Microsoft 365 Lighthouse includes security baselines to deploy a standardized set of configurations to customers' tenants. Microsoft 365 Lighthouse now lets MSPs customize baselines based on expertise and tailor them to customers' unique needs. [Learn more about Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview).
 

defender-endpoint/enable-attack-surface-reduction.md

@@ -345,6 +345,10 @@ Example:
    > Don't use quotes as they aren't supported for either the **Value name** column or the **Value** column.
    > The rule ID shouldn't have any leading or trailing spaces.
 
+> [!NOTE]
+> Microsoft rebranded Windows Defender Antivirus to Microsoft Defender Antivirus beginning with Windows 10 version 20H1.
+> Group Policy paths on earlier Windows versions may still reference Windows Defender Antivirus, while newer builds show Microsoft Defender Antivirus. Both names refer to the same policy location.
+
 ### PowerShell
 
 > [!WARNING]

defender-endpoint/media/atp-time-zone-menu.png

@@ -1,9 +1,9 @@
 ---
 title: Microsoft Defender XDR time zone settings
-description: Use the info contained here to configure the Microsoft Defender XDR time zone settings and view license information.
+description: Use the info contained here to configure the Microsoft Defender XDR time zone settings.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: article
 ms.subservice: reference
 search.appverid: met150
-ms.date: 05/05/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -22,9 +22,7 @@ appliesto:
 # Microsoft Defender XDR time zone settings
 
 
-This article describes time zone settings and options. You can use **Time zone** menu to configure the time zone and view license information.
-
-:::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-1" lightbox="media/atp-time-zone.png":::
+This article describes how to configure time zone settings and options.
 
 > [!NOTE]
 > Changing the time zone setting in the [Microsoft Defender portal](https://security.microsoft.com) only affects how times are displayed. It doesn't affect the actual scheduling of operations, such as antivirus scans, which continue to follow the local system time or UTC settings, depending on how they're configured.
@@ -33,10 +31,6 @@ This article describes time zone settings and options. You can use **Time zone**
 
 The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It's important that your system reflects the correct time zone settings. Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
 
-Your current time zone setting is shown in the **Timezone** menu in the Microsoft Defender portal.
-
-:::image type="content" source="media/atp-time-zone-menu.png" alt-text="The Time zone settings-2" lightbox="media/atp-time-zone-menu.png":::
-
 ### UTC time zone
 
 Defender for Endpoint uses UTC time by default. Keeping this time zone displays all system timestamps (alerts, events, and others) in UTC for all users. This configuration can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
@@ -55,13 +49,9 @@ The Defender for Endpoint time zone is set by default to UTC. Setting the time z
 
 To set the time zone:
 
-1. Select the **Time zone** menu.
-
-   :::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="media/atp-time-zone.png":::
-
-2. Select the **Timezone UTC** indicator.
+1. In the Microsoft Defender portal, go to **System** > **Settings** > **Microsoft Defender portal** > **Time zone**.
 
-3. Select **Timezone UTC** or your local time zone, for example `-7:00`.
+1. In the **Time zone** drop down menu, select either UTC or your local time zone.
 
 ### Regional settings
 

defender-endpoint/media/atp-time-zone.png

@@ -29,11 +29,17 @@ Learn more:
 - [What's new in Microsoft Defender for Endpoint on other operating systems and services](#whats-new-in-defender-for-endpoint-on-other-operating-systems-and-services)
 - [Preview features](/defender-xdr/preview)
 
+## December 2025
+
+|Feature  |Preview/GA  |Description  |
+|---------|------------|-------------|
+|[Triage collection](/azure/sentinel/datalake/sentinel-mcp-triage-tool) |Preview |Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server.|
+
 ## November 2025
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
-|New predictive shielding response actions. |Preview |Defender for Endpoint now includes the [GPO hardening](respond-machine-alerts.md#gpo-hardening) and [Safeboot hardening](respond-machine-alerts.md#safeboot-hardening) response actions. These actions are part of the [predictive shielding](/defender-xdr/shield-predict-threats) feature, which anticipates and mitigates potential threats before they materialize.|
+|New predictive shielding response actions |Preview |Defender for Endpoint now includes the [GPO hardening](respond-machine-alerts.md#gpo-hardening) and [Safeboot hardening](respond-machine-alerts.md#safeboot-hardening) response actions. These actions are part of the [predictive shielding](/defender-xdr/shield-predict-threats) feature, which anticipates and mitigates potential threats before they materialize.|
 |[Custom data collection](custom-data-collection.md) |Preview |Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. |
 | Defender deployment tool<br/>- [for Windows devices](./defender-deployment-tool-windows.md)<br/>- [for Linux devices](./linux-install-with-defender-deployment-tool.md) | Preview | The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. |
 | [Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1](./onboard-downlevel.md#use-the-defender-deployment-tool-to-deploy-defender-endpoint-security) | Preview | A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new [Defender deployment tool](./defender-deployment-tool-windows.md). |

defender-endpoint/time-settings.md

@@ -26,6 +26,13 @@ Connecting Salesforce to Defender for Cloud Apps gives you improved insights int
 - Ransomware
 - Unmanaged bring your own device (BYOD)
 
+
+### Prerequisites
+
+- Install and authorize the Salesforce Connected App in the target Salesforce org before you start the connection process. Salesforce enforces usage restrictions on Connected Apps. For more information, see:[Prepare for Connected App Usage Restrictions Change](https://help.salesforce.com/s/articleView?id=005132365&type=1)
+
+- Assign the **Approve Uninstalled Connected Apps** permission to the Salesforce service account used to connect Microsoft Defender for Cloud Apps. Salesforce requires this permission to connect third-party apps via OAuth.
+
 ## How Defender for Cloud Apps helps to protect your environment
 
 - [Detect cloud threats, compromised accounts, and malicious insiders](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware)

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -87,8 +87,8 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
 
    You can use a condition only once, but the condition can contain multiple values:
 
-   - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them.
-   - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
+   - Multiple **values** of the **same condition** use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). If the recipient matches **any** of the specified values, the policy is applied to them.
+   - Different **types of conditions** use AND logic. The sender must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
      - Users: `[email protected]`
      - Groups: Executives
 
@@ -98,8 +98,8 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
 
      You can use an exception only once, but the exception can contain multiple values:
 
-     - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
-     - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
+     - Multiple **values** of the **same exception** use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
+     - Different **types of exceptions** use OR logic (for example, _\<sender1\>_ or _\<member of group1\>_ or _\<sender domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
 
    When you're finished on the **Users, groups, and domains**, select **Next**.
 

defender-for-cloud-apps/protect-salesforce.md

@@ -2,9 +2,9 @@
 title: Compare Microsoft Defender Vulnerability Management plans and capabilities
 description: Compare Defender Vulnerability Management Offerings. Learn about the differences between the plans and select the plan that suits your organization's needs.
 search.appverid: MET150  
-author: denisebmsft
-ms.author: deniseb
-manager: deniseb 
+author: limwainstein
+ms.author: lwainstein
+manager: bagol 
 audience: ITPro
 ms.topic: overview
 ms.service: defender-vuln-mgmt
@@ -14,6 +14,11 @@ ms.collection:
 - m365-security
 - Tier1
 ms.date: 02/28/2025
+appliesto:
+  - Microsoft Defender Vulnerability Management
+  - Microsoft Defender for Endpoint Plan 2
+  - Microsoft Defender XDR
+  - Microsoft Defender for Servers Plan 1 & 2
 ---
 
 # Compare Microsoft Defender Vulnerability Management plans and capabilities
@@ -50,22 +55,22 @@ The following table summarizes the availability of Defender Vulnerability Manage
 
 |Capability| Defender for Endpoint Plan 2 includes the following core Defender Vulnerability Management capabilities| Defender Vulnerability Management Add-on provides the following premium Vulnerability Management capabilities for Defender for Endpoint Plan 2 | Defender Vulnerability Management Standalone provides full Defender Vulnerability Management capabilities for any EDR solution |
 |:----|:----:|:----:|:----:|
-|[Device discovery](/defender-endpoint/device-discovery)|✔|-|✔|
-|[Device inventory](/defender-endpoint/machines-view-overview)|✔|-|✔|
-|[Vulnerability assessment](tvm-weaknesses.md)|✔|-|✔|
-|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|✔|-|✔|
-|[Risk based prioritization](tvm-security-recommendation.md)|✔|-|✔|
-|[Remediation tracking](tvm-remediation.md)|✔|-|✔|
-|[Continuous monitoring](/defender-endpoint/configure-vulnerability-email-notifications)|✔|-|✔|
-|[Software inventory](tvm-software-inventory.md)|✔|-|✔|
-|[Software usages insights](tvm-usage-insights.md)|✔|-|✔|
-|[Security baselines assessment](tvm-security-baselines.md)|-|✔|✔|
-|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|✔|✔ **see note**|
-|[Browser extensions assessment](tvm-browser-extensions.md)|-|✔|✔|
-|[Digital certificate assessment](tvm-certificate-inventory.md)|-|✔|✔|
-|[Network share analysis](tvm-network-share-assessment.md)|-|✔|✔|
-|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|✔|✔|
-|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|✔|✔|
+|[Device discovery](/defender-endpoint/device-discovery)|Supported|-|Supported|
+|[Device inventory](/defender-endpoint/machines-view-overview)|Supported|-|Supported|
+|[Vulnerability assessment](tvm-weaknesses.md)|Supported|-|Supported|
+|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|Supported|-|Supported|
+|[Risk based prioritization](tvm-security-recommendation.md)|Supported|-|Supported|
+|[Remediation tracking](tvm-remediation.md)|Supported|-|Supported|
+|[Continuous monitoring](/defender-endpoint/configure-vulnerability-email-notifications)|Supported|-|Supported|
+|[Software inventory](tvm-software-inventory.md)|Supported|-|Supported|
+|[Software usages insights](tvm-usage-insights.md)|Supported|-|Supported|
+|[Security baselines assessment](tvm-security-baselines.md)|-|Supported|Supported|
+|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|Supported|Supported **see note**|
+|[Browser extensions assessment](tvm-browser-extensions.md)|-|Supported|Supported|
+|[Digital certificate assessment](tvm-certificate-inventory.md)|-|Supported|Supported|
+|[Network share analysis](tvm-network-share-assessment.md)|-|Supported|Supported|
+|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|Supported|Supported|
+|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|Supported|Supported|
 
 > [!NOTE]
 > If you're using the standalone version of Defender Vulnerability Management, to use the "block vulnerable applications" feature, Microsoft Defender Antivirus must be configured in active mode. For more information, see [Microsoft Defender Antivirus Windows](/defender-endpoint/microsoft-defender-antivirus-windows#comparing-active-mode-passive-mode-and-disabled-mode).
@@ -87,20 +92,20 @@ The following table lists the availability of Defender Vulnerability Management
 
 |Capability|Defender For Servers Plan 1|Defender For Servers Plan 2|
 |:----|:----:|:----:|
-|[Vulnerability assessment](tvm-weaknesses.md)|✔|✔|
-|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|✔|✔|
-|[Risk based prioritization](tvm-security-recommendation.md)|✔|✔|
-|[Remediation tracking](tvm-remediation.md)|✔|✔|
-|[Continuous monitoring](/defender-endpoint/configure-vulnerability-email-notifications)|✔|✔|
-|[Software inventory](tvm-software-inventory.md)|✔|✔|
-|[Software usages insights](tvm-usage-insights.md)|✔|✔|
-|[Security baselines assessment](tvm-security-baselines.md)|-|✔|
-|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|✔|
-|[Browser extensions assessment](tvm-browser-extensions.md)|-|✔|
-|[Digital certificate assessment](tvm-certificate-inventory.md)|-|✔|
-|[Network share analysis](tvm-network-share-assessment.md)|-|✔|
-|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|✔|
-|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|✔**see note**|
+|[Vulnerability assessment](tvm-weaknesses.md)|Supported|Supported|
+|[Configuration assessment](tvm-microsoft-secure-score-devices.md)|Supported|Supported|
+|[Risk based prioritization](tvm-security-recommendation.md)|Supported|Supported|
+|[Remediation tracking](tvm-remediation.md)|Supported|Supported|
+|[Continuous monitoring](/defender-endpoint/configure-vulnerability-email-notifications)|Supported|Supported|
+|[Software inventory](tvm-software-inventory.md)|Supported|Supported|
+|[Software usages insights](tvm-usage-insights.md)|Supported|Supported|
+|[Security baselines assessment](tvm-security-baselines.md)|-|Supported|
+|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|Supported|
+|[Browser extensions assessment](tvm-browser-extensions.md)|-|Supported|
+|[Digital certificate assessment](tvm-certificate-inventory.md)|-|Supported|
+|[Network share analysis](tvm-network-share-assessment.md)|-|Supported|
+|[Hardware and firmware assessment](tvm-hardware-and-firmware.md)|-|Supported|
+|[Authenticated scan for Windows](windows-authenticated-scan.md)|-|Supported**see note**|
 
 > [!NOTE]
 > The Windows authenticated scan feature will be deprecated by the end of November 2025 and won't be supported beyond that date. For more information about this change, see the [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs).

defender-office-365/outbound-spam-policies-configure.md

@@ -4,17 +4,22 @@ description: Find answers to frequently asked questions (FAQs) about Microsoft D
 ms.service: defender-vuln-mgmt
 f1.keywords:
 - NOCSH
-ms.author: deniseb
-author: denisebmsft
+ms.author: lwainstein
+author: limwainstein
 ms.localizationpriority: medium
-manager: deniseb
+manager: bagol
 audience: ITPro
 ms.collection: 
 - m365-security
 - Tier1
 ms.topic: faq
 search.appverid: met150
 ms.date: 05/02/2025
+appliesto:
+  - Microsoft Defender Vulnerability Management
+  - Microsoft Defender for Endpoint Plan 2
+  - Microsoft Defender XDR
+  - Microsoft Defender for Servers Plan 1 & 2
 ---
 
 # Microsoft Defender Vulnerability Management frequently asked questions