Merge branch 'main' into 440863-file-policy-decryption-mda

Author: DeCohen

ATPDocs/deploy/configure-windows-event-collection.md

@@ -235,15 +235,16 @@ To configure domain object auditing:
 
         Now, all relevant changes to directory services appear as 4662 events when they're triggered.
 
-1. Repeat the steps in this procedure, but for **Applies to**, select the following object types:
+1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
-   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects** <sup>2</sup>
 
 > [!NOTE]
-> Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 1. Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 2. The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
 
 ## Configure auditing on AD FS
 

ATPDocs/identity-inventory.md

@@ -110,7 +110,7 @@ Sort option applies to Display name, Domain, and Created time columns.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 
-At the top of each device inventory tab, the following device counts are available:
+At the top of the page, the following identities counts are available:
 
 - __Total__: The total number of identities. 
 
@@ -120,7 +120,7 @@ At the top of each device inventory tab, the following device counts are availab
 
 - **Services:** The number of all service accounts both on-premises and cloud.
 
-You can use this information to help you prioritize devices for security posture improvements.
+You can use this information to help you prioritize identities for security posture improvements.
 
 ### Navigate to the Identity inventory page
 

ATPDocs/ops-guide/ops-guide.md

@@ -13,7 +13,7 @@ This article summarizes the Microsoft Defender for Identity activities we recomm
 
 |Cadence  |Tasks  |
 |---------|---------|
-|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br> - [Investigate users with a high investigation score](ops-guide-daily.md#investigate-users-with-a-high-investigation-score) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
+|**Daily**     | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority) <br>- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)<br> - [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard) <br>- [Proactively hunt](ops-guide-daily.md#proactively-hunt) <br> - [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues)   |
 |**Weekly**     |- [Review Secure score recommendations](ops-guide-weekly.md#review-secure-score-recommendations) <br>  - [Review and respond to emerging threats](ops-guide-weekly.md#review-and-respond-to-emerging-threats) <br>- [Proactively hunt](ops-guide-weekly.md#proactively-hunt)   |
 |**Monthly**     | - [Review tuned alerts and adjust tuning if needed](ops-guide-monthly.md#review-tuned-alerts-and-adjust-tuning-if-needed) <br> - [Track new changes in Microsoft Defender XDR and Defender for Identity](ops-guide-monthly.md#track-new-changes-in-microsoft-defender-xdr-and-defender-for-identity)     |
 | **Quarterly / Ad hoc** <br>Depending on your organization's needs and processes | - [Review Microsoft service health](ops-guide-quarterly.md#review-microsoft-service-health) <br> - [Review server setup process to include sensors](ops-guide-quarterly.md#review-server-setup-process-to-include-sensors) <br>- [Check domain configuration via PowerShell](ops-guide-quarterly.md#check-domain-configuration-via-powershell) |

CloudAppSecurityDocs/governance-actions.md

@@ -83,8 +83,7 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
-> [!NOTE]
-> These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
+These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
  - Security Operator
  - Security administrator
  - Global administrator

defender-endpoint/isolation-exclusions.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/22/2025
+ms.date: 07/01/2025
 ---
 
 # Isolation exclusions (preview)
@@ -57,7 +57,7 @@ There are two steps to using isolation exclusion: defining isolation exclusion r
 
 ### Prerequisites
 
-* Isolation exclusion is available on Windows (minimum client version 10.8470) and macOS (minimum client version 101.240902).
+* Isolation exclusion is available on Windows 11, Windows 10 version 1703 or later, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and macOS.
 * Isolation exclusion must be enabled. Enabling isolation exclusion requires Security Admin or Manage Security settings permissions or above. To enable isolation exclusion, sign in to the [Microsoft Defender portal](https://security.microsoft.com) and go to **Settings** > **Endpoints** > **Advanced features** and enable **Isolation Exclusion Rules** feature.
 
    :::image type="content" source="./media/isolation-exclusions/enable-exclusions.png" alt-text="Screenshot showing how to enable isolation exclusions." lightbox="./media/isolation-exclusions/enable-exclusions.png":::

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 06/06/2025
+ms.date: 06/30/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,19 +43,20 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
-### June-2025 Build: 101.25042.0002 | Release version: 30.125042.0002.0
+### June-2025 Build: 101.25042.0003 | Release version: 30.125042.0003.0
 
-|Build:             |**101.25042.0002**    |
+|Build:             |**101.25042.0003**    |
 |-------------------|----------------------|
-|Released:          |**June 4, 2025**      |
-|Published:         |**June 4, 2025**      |
-|Release version:   |**30.125042.0002.0**  |
+|Released:          |**June 30, 2025**      |
+|Published:         |**June 30, 2025**      |
+|Release version:   |**30.125042.0003.0**  |
 |Engine version:    |**1.1.25020.4000**    |
 |Signature version: |**1.427.370.0**       |
 
 What's new
-
-- Removed external dependency of uuid-runtime from MDE package
+- The Defender for Endpoint package rollout into production happens gradually. From the time the release notes are published, it might take up to a week for the package to be pushed to all production machines.
+- Removed external dependency of uuid-runtime from the Defender for Endpoint package
+- Other stability improvements and bug fixes
 
 ### May-2025 Build: 101.25032.0010 | Release version: 30.125032.0010.0
 

defender-endpoint/mac-preferences.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/21/2025
+ms.date: 07/01/2025
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS
@@ -995,6 +995,8 @@ The following templates contain entries for all settings described in this docum
                 <dict>
                     <key>enforcementLevel</key>
                     <string>real_time</string>
+                    <key>behaviorMonitoring</key>
+                    <string>enabled</string>
                     <key>scanAfterDefinitionUpdate</key>
                     <true/>
                     <key>scanArchives</key>

defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md

@@ -81,7 +81,7 @@ Each source has typical scenarios that depend on how your network is configured,
 |---|---|
 |Windows Server Update Service|You're using Windows Server Update Service to manage updates for your network.|
 |Microsoft Update|You want your endpoints to connect directly to Microsoft Update. This option is useful for endpoints that irregularly connect to your enterprise network, or if you don't use Windows Server Update Service to manage your updates.|
-|File share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments.|
+|UNC Share|You have devices that aren't connected to the Internet (such as virtual machines, or VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares are used in virtual desktop infrastructure (VDI) environments. Platform updates can also be deployed using this method. |
 |Microsoft Endpoint Configuration Manager|You're using Microsoft Endpoint Configuration Manager to update your endpoints.|
 |Security intelligence updates and platform updates for Microsoft Defender Antivirus and other Microsoft anti-malware (formerly referred to as MMPC)|[Make sure devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence and platform updates are delivered through Windows Update. As of October 21, 2019, security intelligence updates and platform updates are SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should be used only as a final fallback source, and not the primary source. It's only to be used if updates can't be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](manage-outdated-endpoints-microsoft-defender-antivirus.md#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
 
@@ -274,6 +274,32 @@ On a Windows File Server set up a network file share (UNC/mapped drive) to downl
     > [!NOTE]
     > Do not add the x64 (or x86) folder in the path. The `mpcmdrun.exe` process adds it automatically.
 
+## Enable platform updates using UNC share
+
+To enable platform updates using UNC share, download KB4052623 and copy it into the architecture folders as `updateplatform.exe`. These files are updated monthly and need to get manually updated by you.
+
+KB4052623 is available for the following architectures:
+
+* [x86](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x86)
+
+* [amd64](https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x64)
+
+* [arm64](https://go.microsoft.com/fwlink/?LinkID=851034&clcid=0x409&arch=arm64) 
+
+**Example structure**
+
+```dos
+[UNC Share]\ 
+    x86\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+    x64\ 
+       mpam-fe.exe 
+       mpam-d.exe 
+       updateplatform.exe 
+```
+
 ## Related articles
 
 - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

defender-endpoint/mde-linux-prerequisites.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 04/08/2025
+ms.date: 06/30/2025
 ---
 
 # Prerequisites for Microsoft Defender for Endpoint on Linux
@@ -117,8 +117,7 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 > The workstation and desktop versions of these distributions are unsupported
 > Distributions and versions that aren't explicitly listed are unsupported (even if they're derived from the officially supported distributions).
 > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
-> Currently, Rocky and Alma distributions aren't supported in Microsoft Defender Vulnerability Management. However, Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions.
-> The minimal requirement for the kernel version is `3.10.0-327` or later.
+> Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions. The minimal requirement for the kernel version is `3.10.0-327` or later.
 
 > [!WARNING]
 > Running Defender for Endpoint on Linux with other fanotify-based security solutions isn't supported. It can lead to unpredictable results, including hanging the operating system.
@@ -186,12 +185,14 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 > - The mdatp RPM package requires `audit`, `semanage`.
 > - For DEBIAN, the mdatp package requires `auditd`.
 > - For Mariner, the mdatp package requires `audit`.
-> For version older than `101.25032.0000`:
-> - RPM package needs: `mde-netfilter`, `pcre`
-> - DEBIAN package needs: `mde-netfilter`, `libpcre3`
-> - The `mde-netfilter` package also has the following package dependencies:
-    - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`
-    - For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
+> 
+> For versions older than `101.25032.0000`, the following requirements apply:
+> - RPM package needs: `mde-netfilter` and `pcre`
+> - DEBIAN package needs: `mde-netfilter` and `libpcre3`
+> 
+> The `mde-netfilter` package also has the following package dependencies:
+> - For DEBIAN, the `mde-netfilter` package requires `libnetfilter-queue1` and `libglib2.0-0`
+> - For RPM, the `mde-netfilter` package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
 
 ## Installation instructions 
 
@@ -226,5 +227,5 @@ If you experience any installation issues, self-troubleshooting resources are av
 - [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](linux-support-events.md)
 - [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)
 
- > [!TIP]
-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)
+> [!TIP]
+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/category/microsoft-defender-for-endpoint/discussions/microsoftdefenderatp)

defender-endpoint/mde-plugin-wsl.md

@@ -15,16 +15,15 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 11/11/2024
+ms.date: 07/01/2025
 search.appverid: MET150
 ---
 
 # Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)
 
 **Applies to:**
 
-- Microsoft Defender for Endpoint for servers
-- Microsoft Defender for Servers Plan 1 or Plan 2
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
 ## Overview
 
@@ -134,7 +133,7 @@ If your host machine contains multiple proxy settings, the plug-in selects the p
 
 3. Network & Internet proxy settings.
 
-For example, if your host machine has both `Winhttp proxy` and `Network & Internet proxy`, the plug-in selects `Winhttp proxy` as the proxy configuration.
+   For example, if your host machine has both `Winhttp proxy` and `Network & Internet proxy`, the plug-in selects `Winhttp proxy` as the proxy configuration.
 
 > [!NOTE]
 > The `DefenderProxyServer` registry key is no longer supported. Follow the steps described earlier in this article to configure proxy in plug-in.
@@ -294,7 +293,7 @@ Check the following things:
 - If your machine has a proxy setup, run the command `healthCheck --extendedProxy`. This will provide information on which proxy(s) is set on your machine and whether these configurations are invalid for WSL defender.
 
    ![Extend HealthCheck Proxy doc](media/mde-plugin-wsl/extend-healthcheck-proxy-doc.png)
-            
+  
 - If the steps mentioned above do not fix the problem, include the following configuration settings in the `.wslconfig` located in your `%UserProfile%` and restart WSL. Details about settings can be found in [WSL Settings](/windows/wsl/wsl-config#main-wsl-settings).
 
    **In Windows 11**