Merge branch 'main' into release-preview-sentinel-lake

Author: v-alje

ATPDocs/deploy/deploy-defender-identity.md

@@ -31,7 +31,7 @@ Identify your architecture and your requirements, and then use the table below t
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 > The Defender for Identity sensor v3.x:
-> - Requires that Defender for Endpoint is deployed on your endpoints
+> - Requires that Defender for Endpoint is deployed
 > - Doesn't currently support VPN integration
 > - Doesn't currently support ExpressRoute
 > - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.

ATPDocs/deploy/prerequisites-sensor-version-3.md

@@ -14,7 +14,7 @@ This article describes the requirements for installing the Microsoft Defender fo
 
 Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 The Defender for Identity sensor v3.x:
- - Requires that Defender for Endpoint is deployed on your endpoints
+ - Requires that Defender for Endpoint is deployed
  - Doesn't currently support VPN integration
  - Doesn't currently support ExpressRoute
  - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.

ATPDocs/health-alerts.md

@@ -1,14 +1,17 @@
 ---
 title: Microsoft Defender for Identity notifications
 description: Learn how to use and configure Microsoft Defender for Identity notifications in Microsoft Defender XDR.
-ms.date: 09/03/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to work with Defender for Identity notifications to make sure I'm up to date about events detected by Defender for Identity.
 ms.reviewer: LiorShapiraa
 ---
 
 # Defender for Identity notifications in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity provides notifications for health issues and security alerts, either via email notifications or to a Syslog server.
 
 This article describes how to configure Defender for Identity notifications so that you're aware of any health issues or security alerts detected.

ATPDocs/notifications.md

@@ -1,7 +1,7 @@
 ---
 title: Manage and update sensors
 description: Learn how to manage and update your Microsoft Defender for Identity sensors.
-ms.date: 01/29/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -104,6 +104,9 @@ The sensors page provides the following information about each sensor:
 
   * Disabled
 
+    >[!NOTE]
+    >This feature is supported only by the Defender for Identity sensor version 2.x.
+
 * **Health status**: Displays the overall health status of the sensor with a colored icon representing the highest severity open health alert. Possible values are:
 
   * **Healthy (green icon)**: No opened health issues
@@ -143,6 +146,8 @@ Defender for Identity sensors support two kinds of updates:
 > * Defender for Identity sensors always reserve at least 15% of the available memory and CPU available on the domain controller where it is installed. If the Defender for Identity service consumes too much memory, the service is automatically stopped and restarted by the Defender for Identity sensor updater service.
 
 ### Delayed sensor update
+>[!NOTE]
+>This feature is supported only by the Defender for Identity sensor version 2.x.
 
 Given the rapid speed of ongoing Defender for Identity development and release updates, you may decide to define a subset group of your sensors as a delayed update ring, allowing for a gradual sensor update process. Defender for Identity enables you to choose how your sensors are updated and set each sensor as a **Delayed update** candidate.
 

ATPDocs/sensor-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Uninstall the sensor
 description: This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers.
-ms.date: 07/02/2025
+ms.date: 07/07/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -22,21 +22,24 @@ Deactivating Defender for Identity capabilities from your domain controller does
 
 ## Delete a sensor
 
+### For sensor v3.x
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Identities** > **Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
-    ![Screenshot that shows how to delete a sensor.](media/screenshot-that-shows-how-to-delete-a-sensor.png)
+   :::image type="content" source="media/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor." lightbox="media/screenshot-that-shows-how-to-delete-a-sensor.png":::
 
-## Uninstall a sensor v2.x from a domain controller
+    >[!NOTE]
+    >This action removes the v3.x sensor and stops monitoring on that domain controller.   
 
-The following steps describe how to uninstall a sensor v2.x from a domain controller.
-
-1. Sign in to the domain controller with administrative privileges.
-1. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
-1. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+## Delete and uninstall a sensor v2.x from a domain controller
 
 > [!IMPORTANT]
 > We recommend removing the sensor from the domain controller before demoting the domain controller.
+> 
+1. Sign in to the domain controller with administrative privileges.
+2. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
+3. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+4. After uninstallation is complete, go to the Microsoft Defender portal > Settings > Identities > Sensors, select the domain controller, and choose Delete.
 
 ## Remove an orphaned sensor
 

ATPDocs/uninstall-sensor.md

@@ -1,14 +1,17 @@
 ---
 title: VPN integration | Microsoft Defender for Identity
 description: Learn how to collect accounting information by integrating a VPN for Microsoft Defender for Identity in Microsoft Defender XDR.
-ms.date: 08/31/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to collect accounting information from VPN solutions. 
 ms.reviewer: martin77s
 ---
 
 # Defender for Identity VPN integration in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity can integrate with your VPN solution by listening to RADIUS accounting events forwarded to Defender for Identity sensors, such as the IP addresses and locations where connections originated. VPN accounting data can help your investigations by providing more information about user activity, such as the locations from where computers are connecting to the network, and an extra detection for abnormal VPN connections.
 
 Defender for Identity's VPN integration is based on standard RADIUS Accounting ([RFC 2866](https://tools.ietf.org/html/rfc2866)), and supports the following VPN vendors:

ATPDocs/vpn-integration.md

@@ -25,13 +25,6 @@ Anomalies are detected by scanning user activity. The risk is evaluated by looki
 
 Based on the policy results, security alerts are triggered. Defender for Cloud Apps looks at every user session on your cloud and alerts you when something happens that is different from the baseline of your organization or from the user's regular activity.
 
-In addition to native Defender for Cloud Apps alerts, you'll also get the following detection alerts based on information received from Microsoft Entra ID Protection:
-
-* Leaked credentials: Triggered when a user's valid credentials have been leaked. For more information, see [Microsoft Entra ID's Leaked credentials detection](/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk).
-* Risky sign-in: Combines a number of Microsoft Entra ID Protection sign-in detections into a single detection. For more information, see [Microsoft Entra ID's Sign-in risk detections](/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk).
-
-These policies appear on the Defender for Cloud Apps policies page and can be enabled or disabled.
-
 > [!IMPORTANT]
 > Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
 > 

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -52,13 +52,7 @@ For detailed licensing information, see the [Product Terms site](https://www.mic
 
 ## Browser requirements
 
-Access to Defender for Endpoint is done through a browser. The following browsers are supported:
-
-- Microsoft Edge
-- Google Chrome
-
-> [!NOTE]
-> Although other browsers might work, the mentioned browsers are the ones supported.
+Access Microsoft Defender for Endpoint and other [Microsoft Defender XDR](/defender-xdr/) experiences in the Microsoft Defender portal using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
 
 ## Hardware and software requirements
 
@@ -69,36 +63,29 @@ Devices on your network must be running one of the operating systems listed in t
 > [!IMPORTANT]
 > You may continue to use Microsoft Windows after OS support ends; however, it will no longer receive quality updates, new or updated features, or security updates for the operating system itself. However, devices protected by Microsoft Defender for Endpoint will continue to receive regular product updates through existing channels, keeping detection and protection capabilities current. 
 
-- Windows 11 Enterprise
-- Windows 11 IoT Enterprise
-- Windows 11 Education
-- Windows 11 Pro
-- Windows 11 Pro Education
-- [Windows 10 and 11 on Arm](/windows/arm/overview)
-- Windows 10 Enterprise
-- [Windows 10 Enterprise LTSC 2016 (or later)](/windows/whats-new/ltsc/)
-- Windows 10 IoT Enterprise (including LTSC)
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+- Windows 10 and 11 Enterprise, IoT Enterprise, Education, Pro, Pro Education including [Windows on Arm](/windows/arm/overview)
+
+- [Windows Enterprise LTSC 2016 (and later)](/windows/whats-new/ltsc/)
+
+- [Windows Enterprise multi-session](/azure/virtual-desktop/windows-multisession-faq)
+
 - Windows Server
   - Windows Server 2012 R2
   - Windows Server 2016
-  - Windows Server, version 1803 or later
-  - Windows Server 2019 and later
-  - Windows Server 2019 core edition
-  - Windows Server 2022
-  - Windows Server 2022 core edition
-  - Windows Server 2025
-- Azure Virtual Desktop
-- Windows 365 running one of the previously listed operating systems/versions
-
-The following operating systems work with Defender for Endpoint, provided you're using the [Log Analytics](/azure/azure-monitor/agents/log-analytics-agent) / [Microsoft Monitoring Agent](update-agent-mma-windows.md) (MMA):
-
-- Windows 8.1 Enterprise
-- Windows 8.1 Pro
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
+  - Windows Server Semi-Annual Channel, version 1803 and above
+    
+  - Windows Server 2019 and later (including Core installation type)
+    
+- [Windows 365](/windows-365/) Cloud PCs and supported [Azure (Windows) Virtual Desktop](/azure/virtual-desktop/) machines running one of the previously listed operating systems/versions
+
+- [Azure Local](/azure/azure-local) Nodes running Azure Stack HCI OS, version 23H2 and above
+
+The following Windows operating systems work with Defender for Endpoint, provided you're using the [Log Analytics](/azure/azure-monitor/agents/log-analytics-agent) / [Microsoft Monitoring Agent](update-agent-mma-windows.md) (MMA):
+
+- Windows 7 SP1 Pro, Enterprise
+
+- Windows 8.1 Pro, Enterprise
+
 - Windows Server 2008 R2 SP1
 
 > [!NOTE]
@@ -115,16 +102,16 @@ To add anti-malware protection to these older operating systems, you can use [Sy
 - [iOS](microsoft-defender-endpoint-ios.md)
 
 > [!NOTE]
-> - Make sure to confirm that the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint.
-> - Although Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability. 
-> - Endpoints running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported.
-> - Virtual Machines running Windows 10 Enterprise 2016 LTSB can encounter performance issues when used on non-Microsoft virtualization platforms.
-> - For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 or later.
-> - [Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md) don't include server licenses. To onboard servers to those plans, you need another license, such as Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering). To learn more. see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).
-> - If your organization is a small or medium-sized business, see [Microsoft Defender for Business requirements](/defender-business/mdb-requirements).
-> - Windows 11 24H2 Home devices that are upgraded to a supported edition might require you to run the following command before onboarding: `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~`
+- Make sure to confirm that the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint.
+- Although Windows 10 IoT Enterprise is a supported OS in Microsoft Defender for Endpoint and enables OEMs/ODMs to distribute it as part of their product or solution, customers should follow the OEM/ODM's guidance around host-based installed software and supportability. 
+- Endpoints running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported.
+- Virtual Machines running Windows 10 Enterprise 2016 LTSB can encounter performance issues when used on non-Microsoft virtualization platforms.
+- For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 or later.
+- [Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md) don't include server licenses. To onboard servers to those plans, you need another license, such as Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering). To learn more. see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).
+- If your organization is a small or medium-sized business, see [Microsoft Defender for Business requirements](/defender-business/mdb-requirements).
+> - Windows 11 24H2 Home devices that have been upgraded to a supported edition might require you to run the following command before onboarding: `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~`
 > For more information about edition upgrades and features, see ([Windows features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true))
-
+> 
 ### Hardware requirements
 
 The minimum hardware requirements for Defender for Endpoint on Windows devices are the same as the requirements for the operating system itself (that is, they aren't in addition to the requirements for the operating system).
@@ -177,6 +164,7 @@ If you're running a non-Microsoft anti-malware client and use Mobile Device Mana
 ## Related articles
 
 - [Set up Microsoft Defender for Endpoint deployment](production-deployment.md)
+
 - [Onboard devices](onboard-configure.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]