Merge branch 'main' into WI480943-near-real-time-updates-entra-id-risk-level

Author: DeCohen

ATPDocs/media/okta-integration/remove-inactive-service-accounts.png

@@ -0,0 +1,46 @@
+---
+title: 'Security Assessment: Remove Inactive Service Account (Preview)'
+description: Learn how to identify and address inactive Active Directory service accounts to mitigate security risks and improve your organization's security posture.
+ms.date: 08/17/2025
+ms.topic: how-to
+#customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
+---
+
+# Security Assessment: Remove Inactive Service Accounts (Preview)
+
+This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+
+## Why do inactive service accounts pose a risk?
+
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+
+This exposure creates several risks:
+
+- Unauthorized access to sensitive applications and data.
+
+- Lateral movement across the network without detection.
+
+
+## How do I use this security assessment to improve my organizational security posture? 
+
+To use this security assessment effectively, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
+1. Review the list of exposed entities to discover which of your service account is inactive.
+
+    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+
+1. Take appropriate actions on those entities by removing the service account. For example:
+
+    - **Disable the account:** Prevent any usage by disabling the account identified as exposed.
+
+    - **Monitor for impact:** Wait several weeks and monitor for operational issues, such as service disruptions or errors.
+
+    - **Delete the account:** If no issues are observed, delete the account and fully remove its access.
+
+> [!NOTE]
+> Assessments are updated in near real time, and scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of your implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/remove-inactive-service-account.md

@@ -249,10 +249,12 @@ items:
            href: security-assessment-clear-text.md
          - name: LAPS usage assessment
            href: security-assessment-laps.md
-         - name: Riskiest lateral movement paths
-           href: security-assessment-riskiest-lmp.md
          - name: Remove discoverable passwords in Active Directory account attributes
            href: remove-discoverable-passwords-active-directory-account-attributes.md
+         - name: Remove inactive service accounts
+           href: remove-inactive-service-account.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
          - name: Unsecure Kerberos delegation assessment
            href: security-assessment-unconstrained-kerberos.md
          - name: Unsecure SID History attributes

ATPDocs/toc.yml

@@ -34,6 +34,12 @@ Previously, Defender for Identity tenants received Entra ID risk level in the Id
 For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
 
 
+### New security assessment: Remove inactive service accounts (Preview)
+
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts.
+
+For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+
 ### New Graph based API for response actions (preview) 
 
 We’re excited to announce a new Graph-based API for initiating and managing remediation actions in Microsoft Defender for Identity.

ATPDocs/whats-new.md

@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 08/18/2025
 ---
 
 # Advanced hunting API
@@ -105,13 +105,11 @@ POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
 ```
 
 ```json
+
 {
-    "Query":"DeviceProcessEvents
-|where InitiatingProcessFileName =~ 'powershell.exe'
-|where ProcessCommandLine contains 'appdata'
-|project Timestamp, FileName, InitiatingProcessFileName, DeviceId
-|limit 2"
+    "Query":"DeviceProcessEvents |where InitiatingProcessFileName =~ 'powershell.exe' |where ProcessCommandLine contains 'appdata'|project Timestamp, FileName, InitiatingProcessFileName, DeviceId|limit 2"
 }
+
 ```
 
 ### Response example

defender-endpoint/api/run-advanced-query-api.md

@@ -78,6 +78,9 @@ This section describes the additional steps required for deploying Defender for
 
 In the [manual deployment steps](linux-install-manually.md#manual-deployment-steps), you need to complete an additional preinstallation setup to enable custom location installation. Follow the steps below as part of the [preinstall setup for custom location installation](linux-install-manually.md#preinstall-setup-for-custom-location-installation).
 
+> [!IMPORTANT]
+> It's strongly recommended to choose a new, dedicated (empty) directory for the custom install path. During uninstall/cleanup, the process attempts to recursively remove that directory and all its contents - therefore, it's important not to use a shared or existing directory that contains other data you might need to retain.
+
 1. **Set your custom path variable**:
 
     > [!NOTE]
@@ -191,4 +194,4 @@ lrwxrwxrwx 1 root root ... /opt/microsoft/mdatp -> /var/tmp/TestInstall/microsof
    - [Deployment guidance for Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)
    - [Deploy Defender for Endpoint on Linux manually](linux-install-manually.md)
 
-[!INCLUDE [Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/linux-custom-location-installation.md

@@ -1,8 +1,8 @@
 ---
 title: AMSI demonstrations with Microsoft Defender for Endpoint
 description: Demonstration of AMSI detection by Microsoft Defender for Endpoint
-author: emmwalshh
-ms.author: ewalsh
+author: paulinbar
+ms.author: painbar
 ms.reviewer: yongrhee
 ms.localizationpriority: medium
 ms.service: defender-endpoint
@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 ms.topic: how-to
-ms.date: 10/16/2024
+ms.date: 08/19/2025
 search.appverid: met150
 ms.custom: 
 - partner-contribution
@@ -49,8 +49,11 @@ In this demonstration article, you have two engine choices to test AMSI:
 
 1. Save the following PowerShell script as `AMSI_PoSh_script.ps1`:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-powershell-save-script.png" alt-text="Screenshot showing PowerShell script to save as AMSI_PoSh_script.ps1" lightbox="media/mde-demonstrations-amsi/test-amsi-powershell-save-script.png":::
-
+   ```powershell
+   $testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
+   Invoke-Expression $testString
+   ```
+   
 2. On your device, open PowerShell as an administrator.
 
 3. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
@@ -64,17 +67,22 @@ In this demonstration article, you have two engine choices to test AMSI:
 
 1. Save the following VBScript as `AMSI_vbscript.vbs`:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-save-script.png" alt-text="Screenshot showing VBScript to save as AMSI_vbscript.vbs" lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-save-script.png":::
-
+   ```vbscript
+   REM Save this sample AMSI vbscript as AMSI_vbscript.vbs
+   Dim result
+   result = eval("AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386")
+   WScript.Echo result
+   ```
+   
 2. On your Windows Device, open Command Prompt as an administrator.
 
-2. Type `wscript AMSI_vbscript.js`, and then press **Enter**.
+1. Type `wscript AMSI_vbscript.vbs`, and then press **Enter**.
 
    The result should be as follows:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
+      :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
+
 
-   
 ### Verifying the test results
 
 In your protection history, you should be able to see the following information:

defender-endpoint/mde-demonstration-amsi.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: ericlaw
 ms.localizationpriority: medium
-ms.date: 06/27/2025
+ms.date: 08/18/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -53,7 +53,7 @@ Ensure you meet the requirements described in the following table:
 |:---|:---|
 | Subscription | Your subscription must include one of the following plans:<br/>- [Windows 10/11 Enterprise E5](/windows/deployment/deploy-enterprise-licenses)<br/>- [Microsoft 365 E5](https://www.microsoft.com/microsoft-365/enterprise/e5?activetab=pivot%3aoverviewtab)<br/>- Microsoft 365 A5<br/>- Microsoft 365 E5 Security<br/>- [Microsoft 365 E3](https://www.microsoft.com/microsoft-365/enterprise/e3?activetab=pivot%3aoverviewtab)<br/>- [Microsoft Defender for Endpoint Plan 1 or Plan 2](/defender-xdr/eval-defender-endpoint-overview)<br/>- [Microsoft Defender for Business](/defender-business/mdb-overview)<br/>- [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium)|
 | Portal access | You must have access to the [Microsoft Defender portal](https://security.microsoft.com). |
-| Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](microsoft-defender-antivirus-updates.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later <br/>- For macOS availability, see [Network Protection for macOS](network-protection-macos.md)<br/>- For Linux availability, see [Network Protection for Linux](network-protection-linux.md)|
+| Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](microsoft-defender-antivirus-updates.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later <br/>- Windows Server 2019 or later <br/>- For macOS availability, see [Network Protection for macOS](network-protection-macos.md)<br/>- For Linux availability, see [Network Protection for Linux](network-protection-linux.md)|
 | Browser | Your devices must be running one of the following browsers: <br/>- Microsoft Edge<br/>- Google Chrome<br/>- Mozilla Firefox<br/>- Brave<br/>- Opera<br/>- Internet Explorer|
 |Related protection | [Windows Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) and [network protection](network-protection.md) must be enabled on your organization's devices. |
 

defender-endpoint/web-content-filtering.md

@@ -1,5 +1,5 @@
 ---
-title: Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams
+title: Microsoft Defender for Office 365 support for Microsoft Teams
 f1.keywords: 
   - NOCSH
 author: chrisda
@@ -14,14 +14,15 @@ search.appverid:
 ms.collection: 
   - m365-security
   - tier1
-description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365 Plan 2.
+description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 07/28/2025
+ms.date: 08/18/2025
 appliesto:
-  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 ---
 
-# Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams
+# Microsoft Defender for Office 365 support for Microsoft Teams
 
 [!include[Prerelease information](../includes/prerelease.md)]