Merge branch 'main' into fix-staging-issue

Author: padmagit77

defender-endpoint/configure-endpoints-gp.md

@@ -36,7 +36,7 @@ Check out [Identify Defender for Endpoint architecture and deployment method](de
 
 1. Open the GP configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
 
    1. Select the operating system.
 
@@ -179,7 +179,7 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 
 1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management** > **Offboarding**.
 
    1. Select the operating system.
 

defender-endpoint/configure-endpoints-vdi.md

@@ -94,6 +94,7 @@ The following steps guide you through onboarding VDI devices and highlight steps
    > [!NOTE]
    > When using the 'Single entry for each device' onboarding method for non-persistent VDI environments, ensure that the Onboard-NonPersistentMachine.ps1 script is executed only after the virtual machine has received its final hostname and completed its final reboot.<br>
    > For example, if your VDI provisioning process includes multiple reboots or configuration stages after the VM is cloned from a master image, delay the script execution until the last reboot is complete and final machine name is assigned.<br> Running the script too early may result in duplicate device entries or inconsistent onboarding to Microsoft Defender for Endpoint.
+   > The script `Onboard-NonPersistentMachine.ps1` is not signed, and administrators will need to use an approved method to run this in a restricted environment if PowerShell's execution policy is restricted. Example "-ExecutionPolicy Bypass". 
 
 5. Test your solution by following these steps:
 

defender-endpoint/linux-install-with-defender-deployment-tool.md

@@ -225,7 +225,7 @@ To preview new features and provide early feedback, it's recommended that you co
 1. Install Microsoft Defender for Endpoint on Linux using the production channel.
 
    ```bash
-   sudo ./defender_deployment_tool.sh --install --channel prod
+   sudo ./defender_deployment_tool.sh --channel prod
    ```
 
 ## Related content

defender-endpoint/onboarding.md

@@ -37,7 +37,7 @@ If you're onboarding devices in the Microsoft Defender portal, follow these step
 
 1. Make sure to review the [Minimum requirements for Defender for Endpoint](minimum-requirements.md).
 
-2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
+2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
 
    :::image type="content" source="media/mde-device-onboarding-ui.png" alt-text="Screenshot showing device onboarding in the Microsoft Defender portal for Defender for Endpoint.":::
 

defender-endpoint/preferences-setup.md

@@ -23,7 +23,7 @@ appliesto:
 # Configure general Defender for Endpoint settings
 
 
-Use the **Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
+Use the **System > Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 
 ## In this section
 

defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md

@@ -26,7 +26,7 @@ This article provides information about new features and important product updat
 ## November 2025
 
 - (Preview) The **Vulnerability Management** section in the Microsoft Defender portal is now located under **Exposure management**. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. [Learn more](#microsoft-defender-vulnerability-management-and-microsoft-security-exposure-management-integration).
-- (Preview) **Microsoft Secure Score now includes new recommendations** to help organizations proactively prevent common endpoint attack techniques.
+- (GA) **Microsoft Secure Score now includes new recommendations** to help organizations proactively prevent common endpoint attack techniques.
     - **Require LDAP client signing** and **Require LDAP server signing** - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit.
     - **Encrypt LDAP client traffic** - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP.
     - **Enforce LDAP channel binding** - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay.

defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/28/2025
+ms.date: 11/27/2025
 ---
 
 # DeviceTvmSecureConfigurationAssessment
@@ -48,8 +48,8 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
 | `ConfigurationSubcategory` | `string` | Subcategory or subgrouping to which the configuration belongs. In many cases,  string describes specific capabilities or features. |
 | `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) |
-| `IsCompliant` | `boolean` | Indicates whether the configuration or policy is properly configured <br /> * A value of 1 is Compliant<br /> * A value of 0 is Not Compliant|
-| `IsApplicable` | `boolean` | Indicates whether the configuration or policy applies to the device <br /> * A value of 1 is Applicable<br /> * A value of 0 is Not Applicable |
+| `IsCompliant` | `boolean` | Indicates whether the configuration or policy is properly configured <br /> * A value of True is Compliant<br /> * A value of False is Not Compliant|
+| `IsApplicable` | `boolean` | Indicates whether the configuration or policy applies to the device <br /> * A value of True is Applicable<br /> * A value of False is Not Applicable |
 | `Context` | `dynamic` | Additional contextual information about the configuration or policy |
 | `IsExpectedUserImpact` | `boolean` | Indicates whether there will be user impact if the configuration or policy is applied |
 

defender-xdr/advanced-hunting-schema-changes.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 11/04/2025
+ms.date: 11/27/2025
 ---
 
 # Advanced hunting schema - Naming changes
@@ -38,10 +38,12 @@ Naming changes are automatically applied to queries that are saved in Microsoft
 - Queries that are saved elsewhere outside Microsoft Defender XDR
 
 ## November 2025
+- The Boolean field values in advanced hunting results will change from numeric (`1` and `0`) to textual (`True` and `False`) on January 25, 2026. While your queries and custom detection rules won't be affected by this change, you might want to update your automated processes (for example, scripts, playbooks, or integrations) parsing these values.
 
-The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and  [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
 
-The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
+- The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and  [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
+
+    The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
 
 ## September 2025
 
@@ -60,7 +62,7 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
 
 ## February 2021
 
-1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
+- In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
 
     | Table name | Original column name | New column name | Reason for change
     |--|--|--|--|
@@ -70,11 +72,11 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
     | `EmailEvents` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
 
 
-2. In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
+- In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
 
-3. In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
+- In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
 
-4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
+- In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
 
     | Table name | Original ActionType name | New ActionType name | Reason for change
     |--|--|--|--|

defender-xdr/preview.md

@@ -64,6 +64,6 @@ If you already have preview features turned on and you're a Microsoft Defender f
 
 :::image type="content" source="media/preview-features-settings.png" alt-text="Screenshot of the preview features settings.":::
 
-If you don't yet have preview features turned on, manage Defender for Business and Defender for Endpoint preview features from the **Settings > Endpoints > Advanced features > Preview features** page, and Defender for Cloud Apps preview features from the **Settings > Cloud Apps > General > Preview features** page.
+If you don't yet have preview features turned on, manage Defender for Business and Defender for Endpoint preview features from the **System > Settings > Endpoints > Advanced features > Preview features** page, and Defender for Cloud Apps preview features from the **Settings > Cloud Apps > General > Preview features** page.
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

exposure-management/exposure-insights-overview.md

@@ -113,16 +113,15 @@ Security Exposure Management ingests security recommendations from multiple sour
 - Every action taken on a security recommendation helps to reduce exposure and risk, improve security posture, and directly influence its related security initiatives and metrics
 - Use the new filtering capabilities to focus on specific domains (Cloud, Devices, etc.) or issue types (misconfigurations, vulnerabilities, etc.)
 
-### Secure Score integration
+### Secure score integration
 
-[Microsoft Secure Score](/defender-xdr/microsoft-secure-score) helps organizations to plan and improve overall security posture using the secure score as a tracking metric. With the integration of Defender for Cloud in the Defender portal, Security Exposure Management now presents both traditional Secure Score and new Cloud secure scores side-by-side for comprehensive posture management.
+Secure score helps organizations to plan and improve overall security posture using the secure score as a tracking metric. With the integration of Defender for Cloud in the Defender portal, Security Exposure Management now presents both traditional **Microsoft Secure Score** and new **Cloud Secure Score** side-by-side for comprehensive posture management.
 
-#### Unified Secure Score experience
+#### Unified secure score experience
 
-- **Traditional Secure Score**: Covers Microsoft 365 assets and remains as in Microsoft Defender Vulnerability Management (MDVM)
-- **Cloud Security Score**: A new score (sometimes called "Cloud Security Initiative") for Azure, AWS, and GCP resources, providing cloud-specific posture metrics
+- **[Microsoft Secure Score](/defender-xdr/microsoft-secure-score)**: A score that covers device, identities, SaaS apps, and data, providing an overall organizational posture metric
+- **[Cloud Secure Score](/azure/defender-for-cloud/secure-score-security-controls?pivots=defender-portal)**: A score for Azure, AWS, and GCP resources, providing cloud-specific posture metric
 - **Side-by-side visibility**: Both scores are now accessible within MSEM, giving a combined view of organizational posture across different domains
-- **Integrated recommendations**: Secure Score recommendations are integrated into the unified Recommendations Catalog alongside cloud and other security recommendations
 
 #### How Security Exposure Management uses Secure Score