Merge branches 'diannegali-mdirbacupdate' and 'diannegali-mdirbacupdate' of https://github.com/MicrosoftDocs/defender-docs-pr into diannegali-mdirbacupdate

Author: diannegali

ATPDocs/deploy/activate-capabilities.md

@@ -12,7 +12,7 @@ Microsoft Defender for Endpoint customers, who have already onboarded their doma
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availability for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor.
 
 ## Prerequisites
 
@@ -29,10 +29,8 @@ Make sure that the domain controller where you're planning to activate Defender
 
 Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:
 
-- Windows Server 2019
-- Windows Server 2022
-
-You must also have the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) installed.
+- Windows Server 2019 or above
+- [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later
 
 > [!IMPORTANT]
 >After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.

ATPDocs/deploy/configure-windows-event-collection.md

@@ -328,7 +328,7 @@ To configure auditing on Microsoft Entra Connect servers:
 <a name="enable-auditing-on-an-exchange-object"></a>
 
 >[!NOTE]
-> The configuration container audit is requried only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
+> The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
 
 **Related health issue:** [Auditing on the Configuration container is not enabled as required](../health-alerts.md#auditing-on-the-configuration-container-is-not-enabled-as-required)
 
@@ -340,6 +340,8 @@ To configure auditing on Microsoft Entra Connect servers:
 
 1. Expand the **Configuration** container to show the **Configuration** node, which begins with **"CN=Configuration,DC=..."**.
 
+    :::image type="content" source="../media/cn-configuration.png" alt-text="Screenshot of selections for opening properties for the CN Configuration node.":::
+
 1. Right-click the **Configuration** node and select **Properties**.
 
     ![Screenshot of selections for opening properties for the Configuration node.](../media/configuration-properties.png)

ATPDocs/deploy/event-collection-overview.md

@@ -50,7 +50,7 @@ The following event is required for Microsoft Entra Connect servers:
 
 - 4624: An account was successfully logged on
 
-For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-for-entra-connect).
+For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-on-microsoft-entra-connect).
 
 ### Other required Windows events
 

ATPDocs/deploy/remote-calls-sam.md

@@ -34,12 +34,16 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
 
 **To configure required permissions**:
 
-1. Locate the policy. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
+1. Create a new group policy or use an existing one. 
+1. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
 
     :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
 
 1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
 
+   :::image type="content" source="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png" alt-text="Screenshot of the Network access policy settings." lightbox="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png":::
+
+
    For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
 
 ## Make sure the DSA is allowed to access computers from the network (optional)
@@ -60,6 +64,8 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
     >
     > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
 
+     :::image type="content" source="../media/define-security-policy-setting.png" alt-text="Screenshot of Security Policy Settings." lightbox="../media/define-security-policy-setting.png":::
+
 ## Configure a Device profile for Microsoft Entra hybrid joined devices only
 
 This procedure describes how to use the [Microsoft Intune admin center](https://intune.microsoft.com/) to configure the policies in a Device profile if you're working with Microsoft Entra hybrid joined devices.

ATPDocs/media/cn-configuration.png

@@ -24,6 +24,19 @@ For updates about versions and features released six months ago or earlier, see
 
 ## February 2025
 
+### DefenderForIdentity PowerShell module updates (version 1.0.0.3)
+
+New Features and Improvements:
+- Support for getting, testing, and setting the Active Directory Recycle Bin in Get/Set/Test MDIConfiguration.
+- Support for getting, testing, and setting the proxy configuration on new MDI sensor.
+- The Active Directory Certificate Services registry value for audit filtering now properly sets the type.
+- New-MDIConfigurationReport now shows the name of the tested GPO and supports Server and Identity arguments.
+
+Bug Fixes:
+- Improved reliability for DeletedObjects container permissions on non-English operating systems.
+- Fixed extraneous output for KDS root key creation.
+- Other reliability fixes.
+
 ### New attack paths tab on the Identity profile page
 
 This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview) 

ATPDocs/media/define-security-policy-setting.png

@@ -99,7 +99,7 @@ Use a custom app policy when you need to do something not already done by one of
    > [!NOTE]
    > Some policy conditions are only applicable to apps that access Graph API permissions. When evaluating apps that access only non-Graph APIs, app governance skips these policy conditions and proceed to check only other policy conditions.
 
-5. Here are the available conditions for a custom app policy:
+1. Here are the available conditions for a custom app policy:
 
    |Condition|Condition values accepted|Description|More information|
    |---|---|---|---|
@@ -123,9 +123,9 @@ Use a custom app policy when you need to do something not already done by one of
    |**Sensitivity labels accessed**|Select one or more sensitivity labels from the list|Apps that accessed data with specific sensitivity labels in the last 30 days.||
    |**Services accessed** (Graph only)|Exchange and/or OneDrive and/or SharePoint and/or Teams|Apps that have accessed OneDrive, SharePoint, or Exchange Online using Microsoft Graph and EWS APIs|Multiple selections allowed.|
    |**Error rate** (Graph only)|Error rate is greater than X% in the last seven days|Apps whose Graph API error rates in the last seven days are greater than a specified percentage||
-   |**App origin** (Preview)|External or Internal|Apps that originated within the tenant or registered in an external tenant||
-
-   All of the specified conditions must be met for this app policy to generate an alert.
+   |**App origin**|External or Internal|Apps that originated within the tenant or registered in an external tenant||
+   
+      All of the specified conditions must be met for this app policy to generate an alert.
 
 6. When you're done specifying the conditions, select **Save**, and then select **Next**.
 
@@ -166,7 +166,7 @@ Policies for OAuth apps trigger alerts only on policies that are authorized by u
 1. Go to **Microsoft Defender XDR > App governance > Policies > Other apps**. For example:
 
     ![Other apps-policy creation](media/app-governance-app-policies-create/other-apps-policy-creation.jpg)
-
+   
 2. Filter the apps according to your needs. For example, you might want to view all apps that request **Permission** to **Modify calendars in your mailbox**.
 
    > [!TIP]

ATPDocs/media/restrict-clients-allowed-to-make-remote-calls-to-SAM.png

@@ -10,7 +10,7 @@ description: Get started with app governance capabilities to govern your apps in
 This article describes how to turn on Microsoft Defender for Cloud Apps app governance.
 
 > [!NOTE]
-> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments cannot connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance is not FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
+> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments can't connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance isn't FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
 ## Prerequisites
 
 Before you start, verify that you satisfy the following prerequisites:
@@ -21,15 +21,16 @@ Before you start, verify that you satisfy the following prerequisites:
 
 - You must have [one of the appropriate roles](#roles) to turn on app governance and access it.
 
-- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, South Africa, Sweden or United Arab Emirates.
+
+- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, Poland, Italy, Qatar, Israel, Spain, Mexico, South Africa, Sweden, or United Arab Emirates.
 
 ## Turn on app governance
 
 If your organization satisfies the [prerequisites](#prerequisites), go to [Microsoft Defender XDR > Settings > Cloud Apps > App governance](https://security.microsoft.com/cloudapps/settings) and select **Use app governance**. For example:
 
 :::image type="content" source="media/app-governance-get-started/app-governance-service-status2.png" alt-text="Screenshot of the App governance toggle in Microsoft Defender XDR." lightbox="media/app-governance-get-started/app-governance-service-status2.png":::
 
-After you've signed up for app governance, you'll need to wait up to 10 hours to see and use the product.
+After signing up for app governance, you'll need to wait up to 10 hours to see and use the product.
 
 If you're unable to see the app governance option in the settings page, it might be due to one or more of the following reasons:
 
@@ -76,7 +77,7 @@ For more information about each role, see [Administrator role permissions](/azur
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 > [!NOTE]
-> App governance alerts will not flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
+> App governance alerts won't flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
 
 ## Next steps