PM feedback implemented

AbbyMSFT · AbbyMSFT · commit d33151ea3d9f · 2025-07-02T21:16:35.000+03:00
diff --git a/ATPDocs/deploy/activate-sensor.md b/ATPDocs/deploy/activate-sensor.md
@@ -23,32 +23,31 @@ You can choose to activate eligible domain controllers either automatically, whe
 |---------|---------|
 |Activate new sensor |The domain controller is already onboarded to Defender for Endpoint. [Activate the sensor](#activate-the-defender-for-identity-sensor).|
 |Install classic sensor|[Deploy the classic Defender for Identity sensor](install-sensor.md) from the **Sensors page**.|
-|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|
+<!--|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|-->
 |OS update is required     |This domain controller is running an unsupported operating system version for the new sensor. Update the server to Windows Server 2019 or later to use the new sensor. |
 
-## The Activation process
+<!--## The Activation process
 The process for activating the sensor depends on your configuration.
 - If you have a Defender for Endpoint deployment, simply [activate the sensor](#activate-the-defender-for-identity-sensor).
-- If the domain controller is not onboarded to Defender for Endpoint, [onboard the domain controller](#onboard-the-domain-controller) by configuring Defender for Endpoint streamlined URLs, and then downloading and running the onboarding package.
+- If the domain controller is not onboarded to Defender for Endpoint, [onboard the domain controller](#onboard-the-domain-controller) by configuring Defender for Endpoint streamlined URLs, and then downloading and running the onboarding package.-->
 
 ## Activate the Defender for Identity sensor
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Activation**.
 1. Select the domain controller where you want to activate Defender for Identity, and select **Activate**. Confirm your selection when prompted. 
 
-   [![Screenshot that shows how to activate the new sensor.](media/activate-capabilities/activate.jpg)](media/activate-capabilities/activate.jpg#lightbox)
+   [![Screenshot that shows how to activate the new sensor.](media/activate-capabilities/activate.png)](media/activate-capabilities/activate.png#lightbox)
 
 1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers**. This takes you to the **Sensors** page, where you can check your sensor health.
 
     [![Screenshot that shows how to see the onboarded servers.](media/activate-capabilities/successfully-activated.png)](media/activate-capabilities/successfully-activated.png#lightbox)
 
-
+<!--->
 ## Onboard the domain controller 
 
-If the domain controller has not been onboarded to Defender for Endpoint, follow these steps to activate the sensor.
+If the domain controller has not been onboarded to Defender for Endpoint for Servers, follow these steps to activate the sensor.
 
-1. [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server)
-1. [Configure connectivity using streamlined connection](/microsoft-365/security/defender-endpoint/configure-device-connectivity#option-1-configure-connectivity-using-the-simplified-domain).
+1. [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) using [streamlined URLs](/microsoft-365/security/defender-endpoint/configure-device-connectivity#option-1-configure-connectivity-using-the-simplified-domain).
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Activation**.
 1. Select **Download onboarding package**, and save the file in a location you can access from your domain controller.
 
@@ -59,13 +58,14 @@ If the domain controller has not been onboarded to Defender for Endpoint, follow
 
    [![screenshot that shows the onboarding script.](media/activate-capabilities/screenshot-2025-06-04-170500.png)](media/activate-capabilities/screenshot-2025-06-04-170500.png#lightbox)
 
+<!-->
 
-## Confirm onboarding 
+## Confirm sensor activation 
 
 To confirm the sensor is working: 
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Identities** > **Sensors**.
-1. Check that the onboarded domain controller is listed. 
+1. Check that the activated domain controller is listed. 
 
 > [!NOTE]
 > The first time you activate the Defender for Identity sensor on your domain controller, it might take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes. The activation doesn't require a restart/reboot. 
diff --git a/ATPDocs/deploy/deploy-defender-identity.md b/ATPDocs/deploy/deploy-defender-identity.md
@@ -8,33 +8,33 @@ ms.reviewer: rlitinsky
 
 # Microsoft Defender for Identity deployment overview
 
-Defender for Identity uses sensors to collect signals from your on-premises identity infrastructure. This article explains the Microsoft Defender for Identity deployment process.
+Defender for Identity uses sensors to collect signals from your on-premises identity infrastructure to detect threats. This article explains the Microsoft Defender for Identity deployment process.
 
-Defender for Identity uses signals to detect threats like privilege escalation or high-risk lateral movement and reports on easily exploited identity issues like unconstrained Kerberos delegation for correction by the security team.
+Defender for Identity detects threats like privilege escalation or high-risk lateral movement and reports on easily exploited identity issues like unconstrained Kerberos delegation for correction by the security team.
 
 We recommend installing Defender for Identity sensors on all domain controllers, including read-only domain controllers (RODCs). If you have an AD FS, AD CS, or a Microsoft Entra Connect farm or cluster in your environment, install the sensor on each server.
 
 ## Select your deployment method
 
-Once you've completed the steps to prepare your environment and assigned roles and permissions for Defender for Identity, create a plan for onboarding. 
+Once you've completed the steps to prepare your environment, and assigned roles and permissions for Defender for Identity, create a plan for onboarding. 
 
 Identify your architecture and your requirements, and then use the table below to select the appropriate deployment for the servers in your environment. 
 
 |Server configuration   |Server Operating System  |Recommended deployment |
 |---------|---------|---------|---------|
 |Domain controller     | Windows Server 2019 or later with the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
-|      |Windows Server 2016 or earlier         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
+|Domain controller      |Windows Server 2016 or earlier         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
 |[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    NA     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
 |[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  NA       |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
 |[Entra Connect](active-directory-federation-services.md)|  NA    |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
 
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 > The Defender for Identity sensor v3.x:
-> - Requires that Defender for Endpoint is deployed
-> - Doesn't support VPN integration
-> - Doesn't support ExpressRoute
-> - Doesn't provide full functionality of health alerts, posture recommendations or security alerts
+> - Requires that Defender for Endpoint is deployed on your endpoints
+> - Doesn't currently support VPN integration
+> - Doesn't currently support ExpressRoute
+> - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
 
 Once you've evaluated your infrastructure and requirements, follow the instructions for deploying the sensor based on the version you need.
 
diff --git a/ATPDocs/deploy/media/activate-capabilities/activate.png b/ATPDocs/deploy/media/activate-capabilities/activate.png
diff --git a/ATPDocs/deploy/multi-forest.md b/ATPDocs/deploy/multi-forest.md
@@ -1,12 +1,12 @@
 ---
-title: Multi-forest support | Microsoft Defender for Identity
+title: Multi-forest considerations | Microsoft Defender for Identity
 description: Learn about how Microsoft Defender for Identity supports multiple Active Directory forests.
 ms.date: 08/10/2023
 ms.topic: article
 ms.reviewer: martin77s
 ---
 
-# Microsoft Defender for Identity multi-forest support
+# Microsoft Defender for Identity multi-forest considerations
 
 Microsoft Defender for Identity supports organizations with multiple Active Directory forests, giving you the ability to easily monitor activity and profile users across forests.
 
@@ -20,7 +20,7 @@ Securing your multiple Active Directory forests with Defender for Identity provi
 
 > [!NOTE]
 > Each Defender for Identity sensor can only report to a single Defender for Identity workspace.
->
+
 
 ## Detection activity across multiple forests
 
diff --git a/ATPDocs/deploy/prerequisites-sensor-version-3.md b/ATPDocs/deploy/prerequisites-sensor-version-3.md
@@ -14,10 +14,10 @@ This article describes the requirements for installing the Microsoft Defender fo
 
 Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 The Defender for Identity sensor v3.x:
- - Requires that Defender for Endpoint is deployed
- - Doesn't support VPN integration
- - Doesn't support ExpressRoute
- - Doesn't provide full functionality of health alerts, posture recommendations or security alerts.
+ - Requires that Defender for Endpoint is deployed on your endpoints
+ - Doesn't currently support VPN integration
+ - Doesn't currently support ExpressRoute
+ - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
 
 ## Licensing requirements
 
@@ -42,7 +42,7 @@ The following table summarizes the server requirements and recommendations for t
 |Prerequisite / Recommendation |Description  |
 |---------|---------|
 |Operating System|The domain controller must have both:<br> - Windows Server 2019 or later<br> - [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.|
-|Specifications|  A domain controller server with a minimum of:<br> - two cores<br>- 6 GB of RAM<br>- 6 GB of disk space required, 10 GB recommended|
+|Specifications|  A domain controller server with a minimum of:<br> - two cores<br>- 6 GB of RAM|
 |Performance| For optimal performance, set the **Power Option** of the machine running the Defender for Identity sensor to **High Performance**.        |
 |Connectivity|Requires a Microsoft Defender for Endpoint deployment. If Microsoft Defender for Endpoint is installed on the domain controller, there are no additional connectivity requirements.   |
 |Previous installations| Before activating the sensor on a domain controller, make sure that the domain controller doesn't have another Defender for Identity sensor already deployed.|
@@ -52,14 +52,6 @@ The following table summarizes the server requirements and recommendations for t
 > [!NOTE]
 > After the March 2024 Cumulative Update is installed, LSASS might experience a memory leak on domain controllers during on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. [This out-of-band update: KB5037422](https://support.microsoft.com/en-gb/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3) addresses this issue.
 
-### Required ports
-
-|Protocol   |Transport         |Port         |From       |To   |Notes|
-|------------|---------|---------|-------|--------------|-----|
-|DNS     |TCP and UDP           |53  |Defender for Identity sensor|DNS Servers           |    |
-|RADIUS     |UDP      |1813|RADIUS         |Defender for Identity sensor      |   |
-|Network Name Resolution (NNR) ports  | | | | |To resolve IP addresses to computer names, we recommend opening all ports listed. However, only one port is required.   |
-
 ### Dynamic memory requirements
 
 The following table describes memory requirements on the server used for the Defender for Identity sensor, depending on the type of virtualization you're using:
diff --git a/ATPDocs/deploy/test-sensor.md b/ATPDocs/deploy/test-sensor.md
@@ -1,14 +1,14 @@
 ---
-title: Test Microsoft Defender for Identity sensors on domain controllers
+title: Validate the Microsoft Defender for Identity sensor deployment on domain controllers
 description: Learn about how to check that the Microsoft Defender for Identity sensors have been onboarded correctly.
 ms.date: 06/10/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Test the Defender for Identity sensor on domain controllers 
+# Validate the Defender for Identity sensor deployment on domain controllers 
 
-Use the following procedures to test that your sensors are working.
+Use the following procedures to check that your sensors are working.
 Note that the first time you activate the sensor on your domain controller, it might take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations show within five minutes.
 
 ## Check the ITDR dashboard
diff --git a/ATPDocs/toc.yml b/ATPDocs/toc.yml
@@ -33,6 +33,8 @@ items:
       items:
         - name: Prerequisites
           href: deploy/prerequisites-sensor-version-2.md
+        - name: Deploy a sensor for multiple Active Directory forests
+          href: deploy/multi-forest.md
         - name: Connect to the Defender for Identity service
           href: deploy/configure-proxy.md
         - name: Test connectivity settings
@@ -75,9 +77,7 @@ items:
           href: deploy/prerequisites-sensor-version-3.md
         - name: Activate the Defender for Identity sensor (Preview)
           href: deploy/activate-sensor.md
-    - name: Deploy a sensor for multiple Active Directory forests
-      href: deploy/multi-forest.md
-    - name: Test the sensor
+    - name: Validate the sensor deployment
       href: deploy/test-sensor.md
   - name: Configure event collection
     items:
diff --git a/ATPDocs/uninstall-sensor.md b/ATPDocs/uninstall-sensor.md
@@ -1,25 +1,26 @@
 ---
 title: Uninstall the sensor
 description: This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers.
-ms.date: 01/30/2023
+ms.date: 07/02/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Uninstall the Microsoft Defender for Identity sensor
+# Remove the Microsoft Defender for Identity sensor
 
 This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers.
 
-## Prerequisites
+<!--## Prerequisites
 
-Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. You must remove Defender for Identity from Defender for Endpoint before uninstalling the sensor.
+Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. You must remove Defender for Identity from Defender for Endpoint before deactivating the sensor.
 
 1. In the [Defender portal](https://security.microsoft.com), go to **Settings** > **Identities** > **Activation**.
 1. Select **Download offboarding package** and save the file in a location you can access from your domain controller.  
 ![Screenshot that shows how to offboard the new sensor.](media/screenshot-that-shows-how-to-offboard-the-new-sensor.png)
 1. From the domain controller, extract the zip file, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+-->
 
-## Uninstall a sensor
+## Delete a sensor
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Identities** > **Sensors**.
 1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
