Merge branch 'main' into poliveria-mdc-07302025

Author: poliveria

ATPDocs/advanced-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Adjust alert thresholds | Microsoft Defender for Identity
 description: Learn how to configure the number of Microsoft Defender for Identity alerts triggered of specific alert types by adjusting alert thresholds.
-ms.date: 02/11/2024
+ms.date: 08/03/2025
 ms.topic: how-to
 #CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
 ms.reviewer: rlitinsky
@@ -15,7 +15,7 @@ Some Defender for Identity alerts rely on *learning periods* to build a profile
 
 Use the **Adjust alert thresholds** page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.
 
-Alerts are always triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
+Alerts are triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
 
 > [!NOTE]
 > The **Adjust alert thresholds** page was previously named **Advanced settings**. For details about this transition and how any previous settings were retained, see our [What's New announcement](whats-new.md#enhanced-user-experience-for-adjusting-alert-thresholds-preview).
@@ -46,24 +46,27 @@ For example, if you have NAT or VPN, we recommend that you consider any changes
     When you select **Medium** or **Low**, details are bolded in the **Information** column to help you understand how the change affects the alert behavior.
 
 1. Select **Apply changes** to save changes.
+1. Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
 
-Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
-
-## Switch to test mode
+## Switch to Recommended test mode
 
 The **Recommended test mode** option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.
 
 If you recently deployed Defender for Identity and want to test it, select the **Recommended test mode** option to switch all alert thresholds to **Low** and increase the number of alerts triggered. 
 
-Threshold levels are read-only when the **Recommended test mode** option is selected. When you're finished testing, toggle the **Recommended test mode** option back off to return to your previous settings.
+Threshold levels are read-only when the **Recommended test mode** option is selected.
+
+> [!NOTE] 
+> Test mode is time-limited to a maximum of 60 days.
+> When turning on Recommended test mode, you must specify an end time. The selected end time is displayed next to the toggle for as long as test mode is enabled.
 
-Select **Apply changes** to save changes.
+When you're finished testing, toggle the Recommended test mode option back off to return to your previous settings. Select **Apply changes** to save changes.
 
 ## Supported detections for threshold configurations
 
 The following table describes the types of detections that support adjustments for threshold levels, including the effects of **Medium** and **Low** thresholds.
 
-Cells marked with N/A indicate that the threshold level is not supported for the detection
+Cells marked with N/A indicate that the threshold level isn't supported for the detection.
 
 | Detection | Medium | Low |
 | --- | --- | --- |

ATPDocs/whats-new.md

@@ -36,6 +36,14 @@ Improved detection logic to include scenarios where accounts were locked during
 
 ## July 2025
 
+**Expanded coverage in ITDR deployment health widget**
+
+The ITDR deployment health widget now provides visibility into the deployment status of additional server types. Previously, it only reflected the status for Active Directory domain controllers. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure.
+
+**Time limit added to Recommended test mode**
+
+Recommended test mode configuration on the [Adjust alert thresholds page](/defender-for-identity/advanced-settings), now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied.
+
 ### Identity scoping is now available in Governance environments
 
 Scoping is now supported in government (GOV) environments. Organizations can now define and refine the scope of MDI monitoring and gain granular control over which entities and resources are included in security analysis.

defender-endpoint/gov.md

@@ -160,6 +160,7 @@ These are the known gaps:
 |Microsoft Defender for Endpoint Security Configuration Management|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|
 |Microsoft Defender for IoT enterprise IoT security|:::image type="icon" source="media/svg/check-no.svg" border="false":::|:::image type="icon" source="media/svg/check-no.svg" border="false":::|:::image type="icon" source="media/svg/check-no.svg" border="false":::|
 
+
 > [!NOTE]
 > While Microsoft Secure Score is available for GCC, GCC High and DoD customers, there are some security recommendations that aren't available.
 

defender-endpoint/mac-install-with-intune.md

@@ -488,6 +488,7 @@ To download the onboarding package from the Microsoft Defender portal:
 
 1. Select **Download onboarding package**. Save it as _GatewayWindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 
+
 1. Extract the contents of the .zip file:
 
    ```bash

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -46,6 +46,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
+## July 2025
+
+- (GA) [Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) is now generally available on Windows Server 2019 or later.  Helps with the stability and performance of Microsoft Defender Antivirus.
+
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.

defender-for-cloud/TOC.yml

@@ -1,2 +0,0 @@
-- name: Index
-  href: index.md

defender-for-cloud/index.md

@@ -53,7 +53,7 @@ By default, users can download infected files from SharePoint or OneDrive. Here'
 1. In a web browser, a user tries to download a file from SharePoint or OneDrive that happens to be infected.
 2. The user is shown a warning that a virus was detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.
 
-To change this behavior so users can't download infected files from SharePoint or OneDrive, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/blocked files for users.
+To change this behavior so users can't download infected files from SharePoint or OneDrive, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/blocked files for users.
 
 For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
 

defender-office-365/anti-malware-protection-for-spo-odfb-teams-about.md

@@ -20,7 +20,7 @@ appliesto:
 # Microsoft Teams in Attack simulation training
 
 > [!IMPORTANT]
-> Microsoft Teams' Attack simulation training is currently in Private Preview. The information in this article is subject to change.
+> Microsoft Teams' Attack simulation training is currently in Private Preview and the intake for this preview is now closed. The information in this article is subject to change.
 
 In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md).
 

defender-office-365/attack-simulation-training-teams.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to configure the junk email settings in Exchange Online mailboxes. Many of these settings are available to users in Outlook or Outlook on the web.
 ms.service: defender-office-365
-ms.date: 07/03/2025
+ms.date: 07/31/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -33,9 +33,11 @@ But, there are also specific anti-spam settings that admins can configure on ind
 
 - **Deliver messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is delivered to the Junk Email folder of the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines that a delivered message is spam or phishing, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).
 
-- **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is moved to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailboxes in Outlook or Outlook on the web (formerly known as Outlook Web App). Admins can configure the safelist collection on any user's mailbox.
+- **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is delivered to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailboxes in Outlook or Outlook on the web (formerly known as Outlook Web App or OWA). Admins can configure the safelist collection on any user's mailbox.
 
-Microsoft 365 is able to deliver messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** and the Blocked Senders list in the mailbox, and prevent messages from being delivered to the Junk Email folder based on the Safe Senders list on the mailbox.
+Microsoft 365 adds the header `X-Forefront-Antispam-Report: SFV:BLK` to incoming messages from senders in a user's Blocked Senders list, and any future messages from that sender are classified as spam. The message is delivered to the user's Junk Email folder or to quarantine based on the action configured in the applicable anti-spam policy (our [recommended action](recommended-settings-for-eop-and-office365.md#anti-spam-policy-settings) is **Move message to Junk Email folder**).
+
+If the sender is a user's Safe Senders list, the message is delivered to their Inbox.
 
 Admins can use Exchange Online PowerShell to configure entries in the safelist collection on mailboxes (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list).