MicrosoftDocs
diff --git a/‎defender-endpoint/android-whatsnew.md‎
Lines changed: 14 additions & 3 deletions b/‎defender-endpoint/android-whatsnew.md‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎defender-endpoint/enable-attack-surface-reduction.md‎
Lines changed: 6 additions & 0 deletions b/‎defender-endpoint/enable-attack-surface-reduction.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎defender-for-cloud-apps/ai-agent-inventory.md‎
Lines changed: 8 additions & 23 deletions b/‎defender-for-cloud-apps/ai-agent-inventory.md‎
Lines changed: 8 additions & 23 deletions
diff --git a/‎defender-for-cloud-apps/policy-template-reference.md‎
Lines changed: 3 additions & 7 deletions b/‎defender-for-cloud-apps/policy-template-reference.md‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎defender-for-cloud-apps/real-time-agent-protection-during-runtime.md‎
Lines changed: 10 additions & 15 deletions b/‎defender-for-cloud-apps/real-time-agent-protection-during-runtime.md‎
Lines changed: 10 additions & 15 deletions
diff --git a/‎defender-for-cloud-apps/troubleshooting-cloud-discovery.md‎
Lines changed: 3 additions & 1 deletion b/‎defender-for-cloud-apps/troubleshooting-cloud-discovery.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎defender-for-identity/deploy/configure-windows-event-collection.md‎
Lines changed: 31 additions & 6 deletions b/‎defender-for-identity/deploy/configure-windows-event-collection.md‎
Lines changed: 31 additions & 6 deletions
diff --git a/‎defender-for-identity/deploy/prerequisites-sensor-version-2.md‎
Lines changed: 3 additions & 16 deletions b/‎defender-for-identity/deploy/prerequisites-sensor-version-2.md‎
Lines changed: 3 additions & 16 deletions
@@ -15,29 +15,40 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 11/06/2025
+ms.date: 11/17/2025
 appliesto:
   - Microsoft Defender for Endpoint
 
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
 
-
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
 ### Releases for Defender for Endpoint on Android
 
 #### November 2025
 
+| Build| 1.0.8315.0101|
+| -------- | -------- |
+| Release Date 	| November 17, 2025 |
+
+**What's New**
+
+- Performance improvement and accessibility bug fixes
+
+#### November 2025
+
 | Build| 1.0.8303.0101|
 | -------- | -------- |
 | Release Date |November 4, 2025|
 
 **What's New**
 
 - An improved user feedback experience: See [Key changes - November 2025](./android-new-ux.md#key-changes---november-2025) for details.
-  
+
+- Added landscape mode UI support for the Defender app.
+
 - Additional telemetry features to improve app performance monitoring and detect specific scenarios, such as entering landscape mode or invalid authentication attempts.
 
 #### October 2025
 
@@ -168,6 +168,12 @@ The following procedures for enabling attack surface reduction rules include ins
 
 1. Select **Next** on the three configuration panes, then select **Create** if you're creating a new policy or **Save** if you're editing an existing policy.
 
+> [!NOTE]
+> In the latest Intune interface, **Configuration profiles** is located under  **Devices > Configuration profiles**.  
+> Earlier versions of Intune showed this under **Device configuration > Profiles**.  
+> If you don't see "Configuration Profile" as written in older instructions, look for **Configuration profiles** under the Devices menu.
+
+
 #### Device Configuration Profiles (Alternative 1)
 
 1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
@@ -43,34 +43,19 @@ When Copilot Studio AI Agents are connected, a green indicator appears in the **
 
 ## Identify misconfigured or risky AI agents using advanced hunting
 
-After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats.
+After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats. 
+
+See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
+
 We recommend that you reach out to the owners of the risky agents for more information, and that you consider quarantining or deleting risky agents.
 
 1. Sign in to the Defender portal, and go **Investigation & response** -> **Hunting** -> **Advanced hunting**.
 1. In the **Apps & identities** section, the [AIAgentsInfo table](/defender-xdr/advanced-hunting-aiagentsinfo-table) contains data for all your custom AI agents created using Copilot Studio. You can use this data to create custom queries.
+1. You can use the collection of community queries to identify misconfigured or risky agents.
+    1. **Sign in to the [Microsoft Defender portal](https://security.microsoft.com)**.
+    1. Go to **Investigation & response** -> **Hunting** -> **Advanced hunting**.
+    1. In the **Queries** tab, select **Community queries**. The **AI Agents** folder contains queries related to AI agents. For more information, see [Sample queries](/defender-xdr/advanced-hunting-aiagentsinfo-table).
 
-### Sample queries
-
-Run this query to get a list of all the agents in your tenant:
-
-```kusto
-    AIAgentsInfo 
-    | summarize arg_max(Timestamp, *) by AIAgentId
-```
-
-Run this query to identify all published agents that are configured with an incorrect authentication mechanism: 
-
-```kusto
-    AIAgentsInfo
-    | summarize arg_max(Timestamp, *) by AIAgentId 
-    | where AgentStatus != "Deleted"  
-    | where AgentStatus == "Published" 
-    | where UserAuthenticationType == "None" or AuthenticationTrigger == "As Needed"  
-    | project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
-```
-
- 
-See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
 
  ## Related articles
 
 
@@ -1,9 +1,10 @@
 ---
 title: Microsoft Defender for Cloud Apps policy templates
 description: This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
-ms.date: 01/29/2023
+ms.date: 11/16/2025
 ms.topic: how-to
-ms.reviewer: Ronen-Refaeli
+ms.reviewer: MayaAbelson
+
 ---
 
 # Defender for Cloud Apps policy templates
@@ -13,7 +14,6 @@ We recommend that you simplify policy creation by starting with existing templat
 For the full list of templates, check the Microsoft Defender Portal.
 
 
-
 ## Policy template highlights
 
 |Risk category|Template name|Description|
@@ -33,10 +33,6 @@ For the full list of templates, check the Microsoft Defender Portal.
 |Cloud discovery|New risky app|Alert when new apps are discovered with risk score lower than 6 and that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New sales app|Alert when new sales apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New vendor management system apps|Alert when new vendor management system apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
-|DLP|Externally shared source code|Alert when a file containing source code is shared outside your organization.|
-|DLP|File containing PCI detected in the cloud (built-in DLP engine)|Alert when a file with payment card information (PCI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing PHI detected in the cloud (built-in DLP engine)|Alert when a file with protected health information (PHI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing private information detected in the cloud (built-in DLP engine)|Alert when a file with personal data is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
 |Threat detection|Administrative activity from a non-corporate IP address|Alert when an admin user performs an administrative activity from an IP address that isn't included in the corporate IP address range category. First configure your corporate IP addresses by going to the Settings page, and setting **IP address ranges**.|
 |Threat detection|Log on from a risky IP address|Alert when a user signs into your sanctioned apps from a risky IP address. By default, the Risky IP address category contains addresses that have IP address tags of Anonymous proxy, TOR, or Botnet. You can add more IP addresses to this category in the IP address ranges settings page.|
 |Threat detection|Mass download by a single user|Alert when a single user performs more than 50 downloads within 1 minute.|
 
@@ -22,26 +22,21 @@ If Microsoft Defender determines that a prompt is suspicious:
 ## Enable real-time protection for Microsoft Copilot Studio agents during runtime
 
 > [!NOTE]
-> - The onboarding process for real-time protection during agent runtime requires configuration in Power Platform and collaboration with other administrators.
-> - If the Microsoft 365 connector isn’t properly connected, real-time agent protection during runtime continues to block suspicious activity on the AI agent, but alerts and incidents related to these actions won't appear in the Microsoft Defender portal.
+> The onboarding process for real-time protection during agent runtime requires configuration in Power Platform and collaboration with other administrators.
 
 1. Sign in to the **[Microsoft Defender portal](https://security.microsoft.com)**:
 1. Navigate to **System > Settings > Cloud Apps > Copilot Studio AI Agents**.
-1. Check the Microsoft 365 App Connector status:
-   - **If the connector is already connected:** Continue to step 5.
-   - **If the connector isn’t connected:**
-      - Under **Microsoft 365 connector**, select **Connect** or **Edit**.
-      - Select **Microsoft Entra ID Management events** and **Microsoft 365 activities**. 
-      - Select **Connect Microsoft 365**.
-1. Work together with a Power Platform administrator to and Enter the App ID provided by your Power Platform administrator and select **Save**.
-      
-    :::image type="content" source="media/protect-ai-agents/turn-on-real-time-agent-protection.png" alt-text="Screenshot that shows how to turn on Real time agent protection during runtime in the Defender portal." lightbox="media/protect-ai-agents/turn-on-real-time-agent-protection.png":::
-
+1. Check the Microsoft 365 App Connector status. If the Microsoft 365 connector is not connected, [Enable the Microsoft 365 app connector](protect-office-365.md#connect-microsoft-365-to-microsoft-defender-for-cloud-apps).
+    > [!NOTE]
+    > If the Microsoft 365 connector isn’t connected, real-time agent protection during runtime continues to block suspicious activity on the AI agent, but alerts and incidents related to these actions won't appear in the Microsoft Defender portal. 
 1. Work together with a Power Platform administrator to complete these onboarding steps: [Enable external threat detection and protection for Copilot Studio custom agents](/microsoft-copilot-studio/external-security-provider#step-2-configure-the-threat-detection-system).
-    - The Power Platform administrator must use the same App ID as the App ID used in [Microsoft Entra ID application](/microsoft-copilot-studio/external-security-provider#step-1-configure-microsoft-entra-application).
-    - Share the URL provided in the Defender portal with the Power Platform administrator to help them complete the onboarding steps.
+    - Share the URL provided in the Defender portal with the Power Platform administrator to help them complete their onboarding steps.
+    - Make sure that the Power Platform administrator uses the same App ID as the App ID used in [Microsoft Entra ID application](/microsoft-copilot-studio/external-security-provider#step-1-configure-microsoft-entra-application).
+    - Get the AppID from the Power Platform administrator, and enter it in the **App ID** field in the Defender portal, then select **Save**.
+
+        :::image type="content" source="media/protect-ai-agents/turn-on-real-time-agent-protection.png" alt-text="Screenshot that shows how to turn on Real time agent protection during runtime in the Defender portal." lightbox="media/protect-ai-agents/turn-on-real-time-agent-protection.png":::
 
-    Once the Power Platform administrator completes the onboarding steps, a green **Connected** status appears in the **Microsoft 365 connector** section.
+    Once the Power Platform administrator completes the onboarding steps, a green **Connected** status appears in the **Microsoft 365 connector** section in the Defender portal.
 
 ## Related articles
 
 
@@ -12,7 +12,7 @@ This article provides a list of cloud discovery errors and resolution recommenda
 
 Even after Discovery is set up, customers might continue hardening the Operating System in order to meet compliance standards. However, this action might cause interference with the containerization service itself.
 
-## Microsoft Defender for Endpoint integration
+## Microsoft Defender for Endpoint integration errors
 
 If you integrated Microsoft Defender for Endpoint with Defender for Cloud Apps, and you don't see the results of the integration.
 
@@ -37,6 +37,8 @@ You can track the processing of cloud discovery logs using the governance log. T
 
 ## Log collector errors
 
+The [Log collector Diagnostic script](https://github.com/microsoft/Microsoft-Defender-for-Cloud-Apps/tree/main/Sample%20scripts/Log-Collector-Diag-Script) automates the collection and compression of logs and diagnostic data for troubleshooting Log Collector containers on Linux (Docker/Podman) to improve workflow efficiency. If you need to contact support, run the script and share the generated log bundle for faster case resolution.
+
 |Issue|Resolution|
 |----|----|
 |Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you're using isn't set to SFTP (Secure File Transfer Protocol).  |
 
@@ -1,31 +1,50 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 06/04/2025
+ms.date: 11/05/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
 # Configure audit policies for Windows event logs
 
-To enhance detections and gather more information on user actions like NTLM logons and security group changes, Microsoft Defender for Identity relies on specific entries in Windows event logs. Proper configuration of Advanced Audit Policy settings on your domain controllers is crucial to avoid gaps in the event logs and incomplete Defender for Identity coverage.
+Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications. 
+This article describes how to optimally configure the Advanced Audit Policy settings on your domain controllers to avoid gaps in the event logs and incomplete Defender for Identity coverage.
 
-This article describes how to configure your Advanced Audit Policy settings as needed for a Defender for Identity sensor. It also describes other configurations for specific event types.
+## Configure Windows event auditing with the Defender for Identity sensor v3.x
 
+Defender for Identity sensor v3.x can automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones.
+
+To turn on automatic windows auditing:
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings**, and then **Identities**. 
+1. In the **General** section, select **Advanced features**.
+1. Turn on **Automatic Windows auditing configuration**.
+ 
+If you do not select automatic Windows event auditing, you must manually configure Windows event collection on your domain controller.
+
+## Configure Windows event auditing with the Defender for Identity sensor v2.x
+
+Configure Windows event auditing on your domain controllers to support Defender for Identity detections. 
 Defender for Identity generates health issues for each of these scenarios if they're detected. For more information, see [Microsoft Defender for Identity health issues](../health-alerts.md).
 
 ## Prerequisites
 
-- Before you run Defender for Identity PowerShell commands, make sure that you downloaded the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/).
+- Before you run Defender for Identity PowerShell commands, make sure that you download the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/).
+> [!NOTE]
+> The Active Directory PowerShell module is required when configuring Defender for Identity on domain controllers. It isn’t required on ADCS servers running the Certification Authority Role Service.
 
 ## Generate a report of current configurations via PowerShell
 
 Before you start creating new event and audit policies, we recommend that you run the following PowerShell command to generate a report of your current domain configurations:
 
 ```powershell
-New-MDIConfigurationReport [-Path] <String> [-Mode] <String> [-OpenHtmlReport]
+New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -Identity "DOMAIN\ServiceAccountName" -OpenHtmlReport
 ```
 
+> [!NOTE]
+> When using `-Mode Domain`, include the `-Identity` parameter to avoid an interactive prompt.
+> For more information, see: [New-MDIConfigurationReport](/powershell/module/defenderforidentity/new-mdiconfigurationreport?view=defenderforidentity-latest&preserve-view=true).
+
 In the preceding command:
 
 - `Path` specifies the path to save the reports to.
@@ -43,7 +62,7 @@ For more information, see the [DefenderforIdentity PowerShell reference](/powers
 > [!TIP]
 > The `Domain` mode report includes only configurations set as group policies on the domain. If you have settings defined locally on your domain controllers, we recommend that you also run the [Test-MdiReadiness.ps1](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script.
 
-## Configure auditing for domain controllers
+## Configure Windows event auditing for domain controllers
 
 Update your Advanced Audit Policy settings and extra configurations for specific events and event types, such as users, groups, computers, and more. Audit configurations for domain controllers include:
 
@@ -116,6 +135,12 @@ The following actions describe how to modify your domain controller's Advanced A
 
 **Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
+The following command defines all settings for the domain, creates group policy objects, and links them.
+
+```powershell
+Set-MDIConfiguration -Mode Domain -Configuration All
+```
+
 To configure your settings, run:
 
 ```powershell
 
@@ -106,24 +106,11 @@ The following table describes memory requirements on the server used for the Def
 > [!IMPORTANT]
 > When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
 
-## Configure Windows auditing
+## Configure Windows event auditing
 
-Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
+Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
 
-Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see [Event collection with Microsoft Defender for Identity](event-collection-overview.md) and [Configure audit policies for Windows event logs](configure-windows-event-collection.md).
-
-You might want to use the Defender for Identity PowerShell module to configure the required settings. For example, the following command defines all settings for the domain, creates group policy objects, and links them.
-
-```powershell
-Set-MDIConfiguration -Mode Domain -Configuration All
-```
-> [!NOTE]
-> The Active Directory PowerShell module is required only when configuring Defender for Identity on domain controllers. It isn’t required on ADCS servers running the Certification Authority Role Service.
-
-For more information, see:
-- [DefenderForIdentity Module](/powershell/module/defenderforidentity/)
-- [Defender for Identity in the PowerShell Gallery](https://www.powershellgallery.com/packages/DefenderForIdentity/)
- 
+[Configure Windows event auditing](configure-windows-event-collection.md) on your domain controller to support Defender for Identity detections in the Defender portal or using PowerShell.
 
 ## Test your prerequisites