Merge branch 'main' into release-note-fix

Author: DeCohen

ATPDocs/deploy/activate-capabilities.md

@@ -12,7 +12,7 @@ Microsoft Defender for Endpoint customers, who have already onboarded their doma
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availability for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](https://learn.microsoft.com/defender-for-identity/deploy/quick-installation-guide)
 
 ## Prerequisites
 
@@ -29,10 +29,8 @@ Make sure that the domain controller where you're planning to activate Defender
 
 Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:
 
-- Windows Server 2019
-- Windows Server 2022
-
-You must also have the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) installed.
+- Windows Server 2019 or above
+- [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later
 
 > [!IMPORTANT]
 >After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.

ATPDocs/deploy/configure-windows-event-collection.md

@@ -328,7 +328,7 @@ To configure auditing on Microsoft Entra Connect servers:
 <a name="enable-auditing-on-an-exchange-object"></a>
 
 >[!NOTE]
-> The configuration container audit is requried only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
+> The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
 
 **Related health issue:** [Auditing on the Configuration container is not enabled as required](../health-alerts.md#auditing-on-the-configuration-container-is-not-enabled-as-required)
 
@@ -340,6 +340,8 @@ To configure auditing on Microsoft Entra Connect servers:
 
 1. Expand the **Configuration** container to show the **Configuration** node, which begins with **"CN=Configuration,DC=..."**.
 
+    :::image type="content" source="../media/cn-configuration.png" alt-text="Screenshot of selections for opening properties for the CN Configuration node.":::
+
 1. Right-click the **Configuration** node and select **Properties**.
 
     ![Screenshot of selections for opening properties for the Configuration node.](../media/configuration-properties.png)

ATPDocs/deploy/event-collection-overview.md

@@ -50,7 +50,7 @@ The following event is required for Microsoft Entra Connect servers:
 
 - 4624: An account was successfully logged on
 
-For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-for-entra-connect).
+For more information, see [Configure auditing on Microsoft Entra Connect](../configure-windows-event-collection.md#configure-auditing-on-microsoft-entra-connect).
 
 ### Other required Windows events
 

ATPDocs/deploy/install-sensor.md

@@ -7,7 +7,10 @@ ms.topic: how-to
 
 # Install a Microsoft Defender for Identity sensor
 
-This article describes how to install a Microsoft Defender for Identity sensor, including a standalone sensor. The default recommendation is to use the UI. However:
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
+
+This article describes how to install a Microsoft Defender for Identity classic sensor, including a standalone sensor. The default recommendation is to use the UI. However:
 
 - When you're installing the sensor on Windows Server Core, or to deploy the sensor via a software deployment system, follow the steps for [silent installation](#perform-a-defender-for-identity-silent-installation) instead.
 
@@ -29,9 +32,9 @@ Before you start, make sure that you have:
 
 - Trusted root certificates on your machine. If your trusted root CA-signed certificates are missing, [you might receive a connection error](../troubleshooting-known-issues.md#proxy-authentication-problem-presents-as-a-connection-error).
 
-## Install the sensor by using the UI
+## Install the classic sensor by using the UI
 
-Perform the following steps on the domain controller, Active Directory Federation Services (AD FS) server, or Active Directory Certificate Services (AD CS) server.
+Perform the following steps on the domain controller, Active Directory Federation Services (AD FS) server, Active Directory Certificate Services (AD CS) server or Entra Connect server.
 
 1. Verify that the machine has connectivity to the relevant [Defender for Identity cloud service endpoints](configure-proxy.md#enable-access-to-defender-for-identity-service-urls-in-the-proxy-server).
 

ATPDocs/deploy/prerequisites.md

@@ -121,7 +121,7 @@ This article lists prerequisites required for a basic installation. Additional p
 
 For more information, see:
 
-- [Deploying Microsoft Defender for Identity on AD FS and AD CS servers](active-directory-federation-services.md)
+- [Deploying Microsoft Defender for Identity on AD FS, AD CS and Entra Connect servers](active-directory-federation-services.md)
 - [Microsoft Defender for Identity multi-forest support](multi-forest.md)
 - [Microsoft Defender for Identity standalone sensor prerequisites](prerequisites-standalone.md)
 - [Defender for Identity architecture](../architecture.md)

ATPDocs/deploy/quick-installation-guide.md

@@ -67,16 +67,19 @@ During installation, if .NET Framework 4.7 or later isn't installed, the .NET Fr
 
 When installing your sensors, consider scheduling a maintenance window for your domain controllers.
 
-## Install Defender for Identity
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
+
+## Install Defender for Identity classic sensor
 
 
 This procedure describes how to install the Defender for Identity sensor on a Windows server version 2016 or higher. Make sure that your server has the [minimum system requirements](#minimum-system-requirements).
 
 > [!NOTE]
-> Defender for Identity sensors should be installed on all domain controllers, including read-only domain controllers (RODC). If you're installing on an AD FS / AD CS farm or cluster, we recommend installing the sensor on each AD FS / AD CS server.
+> Defender for Identity sensors should be installed on all domain controllers, including read-only domain controllers (RODC). If you're installing on an AD FS / AD CS / Entra Connect farm or cluster, we recommend installing the sensor on each AD FS / AD CS / Entra Connect server.
 >
 
-**To download and install the sensor**:
+**To download and install the classic sensor**:
 
 1. Download the Defender for Identity sensor from the [Microsoft Defender portal](https://security.microsoft.com).
 1. Browse to **System** > **Settings** > **Identities** > **Sensors** > **Add sensor**

ATPDocs/deploy/remote-calls-sam.md

@@ -34,12 +34,16 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
 
 **To configure required permissions**:
 
-1. Locate the policy. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
+1. Create a new group policy or use an existing one. 
+1. In your **Computer configuration > Windows settings > Security settings > Local policies > Security options**, select the **Network access - Restrict clients allowed to make remote calls to SAM** policy. For example:
 
     :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
 
 1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
 
+   :::image type="content" source="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png" alt-text="Screenshot of the Network access policy settings." lightbox="../media/restrict-clients-allowed-to-make-remote-calls-to-sam.png":::
+
+
    For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
 
 ## Make sure the DSA is allowed to access computers from the network (optional)
@@ -60,6 +64,8 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
     >
     > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
 
+     :::image type="content" source="../media/define-security-policy-setting.png" alt-text="Screenshot of Security Policy Settings." lightbox="../media/define-security-policy-setting.png":::
+
 ## Configure a Device profile for Microsoft Entra hybrid joined devices only
 
 This procedure describes how to use the [Microsoft Intune admin center](https://intune.microsoft.com/) to configure the policies in a Device profile if you're working with Microsoft Entra hybrid joined devices.