Merge branch 'main' into 36c98360-f79b-48fc-8f23-b0ef3edf24b0_98

Author: padmagit77

ATPDocs/alerts-overview.md

@@ -98,7 +98,6 @@ The following table lists the mapping between alert names, their corresponding u
 | [Suspicious modifications to the AD CS security permissions/settings](persistence-privilege-escalation-alerts.md#suspicious-modifications-to-the-ad-cs-security-permissionssettings--external-id-2435) | 2435                | Medium                                                     | Privilege escalation                                            |
 | [Account Enumeration reconnaissance (LDAP)](reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-ldap-external-id-2437-preview) (Preview) | 2437 | Medium  | Account Discovery, Domain Account |
 | [Directory Services Restore Mode Password Change](other-alerts.md#directory-services-restore-mode-password-change-external-id-2438) | 2438 | Medium  | Persistence, Account Manipulation |
-| [Honeytoken was queried via SAM-R](reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-sam-r-external-id-2439) | 2439                | Low                                                     | Discovery                                            |
 |[Group Policy Tampering ](/defender-for-identity/other-alerts)|2440|Medium|Defense evasion|
 
 > [!NOTE]

ATPDocs/automated-response-exclusions.md

@@ -18,27 +18,30 @@ For example, an incident involving Attack Disruption, where response actions are
 
 ## How to add automated response exclusions
 
-1. In [Microsoft Defender XDR](https://security.microsoft.com/), go to **Settings** and then **Identities**.
 
-    ![Go to Settings, then Identities.](media/settings-identities.png)
+1. In the [Microsoft Defender XDR](https://security.microsoft.com/) portal, go to **Settings** and then **Microsoft Defender XDR**.
 
-1. You'll then see **Automated response exclusions** in the left-hand menu.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-settings1.png" alt-text="Go to Settings, then Microsoft Defender XDR.":::
 
-    ![Automated response exclusions.](media/automated-response-exclusions.png)
+ 
+2. You'll see **Automated response > Identities** in the left-side menu.
 
-1. To exclude specific users, select **Exclude Users**.
+    :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-automated-response.png" alt-text="Go to Automated response then Identities.":::
+ 
+3. To exclude specific users, select **Add User Exclusion**.
 
-    :::image type="content" source="media/exclude-users.png" alt-text="Exclude specific users.":::
-
-1. Search for the users to exclude and select the **Exclude Users** button.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-add-exclusion.png" alt-text="Exclude specific users.":::
+      
+4. Search for the users to exclude and select the **Exclude Users** button.
 
     :::image type="content" source="media/exclude-specific-users.png" alt-text="Choose which users to exclude.":::
+   
+5. To remove excluded users, select the relevant users from the list and select the **Remove** button.
 
-1. To remove excluded users, select the relevant users from the list and select the **Remove** button.
-
-    :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
-
+     :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
+   
 ## See also
 
 - [Configure event collection](deploy/configure-event-collection.md)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/deploy/activate-capabilities.md

@@ -6,11 +6,15 @@ ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Activate Microsoft Defender for Identity capabilities directly on a domain controller
+# Activate Microsoft Defender for Identity capabilities directly on a domain controller (Preview)
 
-Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+This article describes how to activate and test Microsoft Defender for Identity new sensor capabilities on your domain controller.
 
-This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
+> [!NOTE]
+> The capabilities described in this article are currently available as Preview features. Preview features are features that aren't complete, but are made available on a "preview" basis so customers can get early access and provide feedback.
+> 
+> Preview features are still in development, have limited or restricted functionality and may be available only in selected geographic areas.
+> For more information, see the [Microsoft Defender XDR preview features](/defender-xdr/preview)
 
 > [!IMPORTANT]
 > The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
@@ -71,40 +75,52 @@ Set-MDIConfiguration -Mode Domain -Configuration All
 
 ### Customers with domain controllers already onboarded to Defender for Endpoint 
 
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+
 ### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
-
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+   The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server, you can find its activation state.
 
-    :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
-    > [!NOTE]
-    > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
+   [![Screenshot that shows how to activate the new sensor.](media/activate-capabilities/1.jpg)](media/activate-capabilities/1.jpg#lightbox)
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+   
+> [!NOTE]
+> You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
+    
+    [![Screenshot that shows how to see the onboarded servers.](media/activate-capabilities/2.jpg)](media/activate-capabilities/2.jpg#lightbox)
+   
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Connectivity requirements
 
-Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
+Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including streamlined URLs.
 
-For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server), [Configure connectivity using streamlined connection](/microsoft-365/security/defender-endpoint/configure-device-connectivity#option-1-configure-connectivity-using-the-simplified-domain).
 
-### Onboard Defender for Identity capabilities 
-Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+### Onboard Defender for Identity capabilities
+
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal](https://security.microsoft.com)
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-1. Navigate to **System** > **Settings** > **Identities** > **Activation**
 2. Select Download onboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
+
+   
+   [![Screenshot that shows how to onboard the new sensor.](media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png)](media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png#lightbox)
 
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator.
+
+   [![screenshot that shows the onboarding script.](media/activate-capabilities/screenshot-2025-06-04-170500.png)](media/activate-capabilities/screenshot-2025-06-04-170500.png#lightbox)
+
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
@@ -113,11 +129,10 @@ To confirm the sensor has been onboarded:
 
 2. Check that the onboarded domain controller is listed. 
 
-> [!NOTE]
-> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
-> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
+    > [!NOTE]
+    > The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
-## Test activated capabilities
+**Test activated capabilities**
 
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
@@ -147,7 +162,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -226,22 +241,27 @@ For more information, see [Remediation actions in Microsoft Defender for Identit
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. Navigate to **Settings** > **Identities** > **Sensors**
-2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
-
-    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
+1. Navigate to **Settings** > **Identities** > **Sensors**.
+1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
+    ![Screenshot that shows how to delete a sensor.](media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png)
+   
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Offboard Defender for Identity capabilities on your domain controller 
-Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **Settings** > **Identities** > **Activation**
-2. Select Download offboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
-4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
+1. Select Download offboarding package and save the file in a location you can access from your domain controller.  
+![Screenshot that shows how to offboard the new sensor.](media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png)
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+1. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server, and click **Delete**.
+
+:::image type="content" source="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor" lightbox="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png":::
+
 
 ## Next steps
 

ATPDocs/deploy/configure-windows-event-collection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 01/16/2024
+ms.date: 06/04/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -240,6 +240,7 @@ To configure domain object auditing:
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
 
 > [!NOTE]
 > Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.