Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into mdi-alerts-update

Author: AbbyMSFT

ATPDocs/whats-new.md

@@ -25,7 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
-**Suspected Brute Force attack (Kerberos, NTLM):** Improved detection logic now includes scenarios where accounts were locked during the attacks. As a result, the number of triggered alerts might increase.
+### Sensor version 2.246
+
+This version includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.
+
+### Detection update: Suspected Brute Force attack (Kerberos, NTLM)
+
+Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase.
+
 
 ## July 2025
 

CloudAppSecurityDocs/proxy-intro-aad.md

@@ -6,9 +6,8 @@ ms.topic: concept-article
 ---
 # Conditional Access app control in Microsoft Defender for Cloud Apps
 
-In today's workplace, it's not enough to know what happened in your cloud environment after the fact. You need to stop breaches and leaks in real time. You also need to prevent employees from intentionally or accidentally putting your data and organization at risk.
-
-You want to support users in your organization while they use the best cloud apps available and bring their own devices to work. However, you also need tools to protect your organization from data leaks and theft in real time. Microsoft Defender for Cloud Apps integrates with any identity provider (IdP) to deliver this protection with [access](access-policy-aad.md) and [session](session-policy-aad.md) policies.
+In today’s workplace, it’s not enough to understand what happened in your cloud environment after the fact, you need to stop breaches and data leaks as they happen. That includes preventing employees from intentionally or accidentally putting your data and organization at risk.
+Microsoft Defender for Cloud Apps helps you strike the right balance: enabling productivity with the best cloud apps while protecting your data in real time. It delivers deep visibility and control over **browser-based sessions** through integration with any identity provider (IdP), using powerful [access](access-policy-aad.md) and [session](session-policy-aad.md) policies.
 
 For example:
 
@@ -26,6 +25,8 @@ Microsoft Edge users benefit from [direct, in-browser protection](in-browser-pro
 
 Users of other browsers are redirected via reverse proxy to Defender for Cloud Apps. Those browsers display an `*.mcas.ms` suffix in the link's URL. For example, if the app URL is `myapp.com`, the app URL is updated to `myapp.com.mcas.ms`.
 
+To prevent bypassing this protection, admins should configure access policies to block native client access and allow only browser-based sessions.
+
 This article describes Conditional Access app control in Defender for Cloud Apps through [Microsoft Entra Conditional Access](/entra/identity/conditional-access/overview) policies.
 
 ## Activities in Conditional Access app control

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -583,6 +583,9 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block rebooting machine in Safe Mode
 
+> [!NOTE]
+> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
+
 This rule prevents the execution of commands to restart machines in Safe Mode. Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
 
 Intune Name: ` Block rebooting machine in Safe Mode`
@@ -621,6 +624,9 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block use of copied or impersonated system tools
 
+> [!NOTE]
+> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
+
 This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines. 
 
 Intune Name: `Block use of copied or impersonated system tools`
@@ -652,7 +658,7 @@ GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
 Dependencies: Microsoft Defender Antivirus
 
 > [!NOTE]
-> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management.
+> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Exchange servers.
 
 ### Block Win32 API calls from Office macros