Merge pull request #5659 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit afe0fe440d01 · 2025-11-18T18:39:31.000Z
[AutoPublish] main to live - 11/18 10:37 PST | 11/19 00:07 IST
diff --git a/Predictive Shielding - JIT tamper hardening 4k-en-US.docx b/Predictive Shielding - JIT tamper hardening 4k-en-US.docx
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
@@ -1072,7 +1072,11 @@
           - name: Contain devices from the network
             href: respond-machine-alerts.md#contain-devices-from-the-network
           - name: Contain user from the network
-            href: respond-machine-alerts.md#contain-user-from-the-network          
+            href: respond-machine-alerts.md#contain-user-from-the-network
+          - name: Automatically apply GPO hardening (predictive shielding)
+            href: respond-machine-alerts.md#gpo-hardening
+          - name: Automatically apply Safeboot hardening (predictive shielding)
+            href: respond-machine-alerts.md#safeboot-hardening                     
           - name: Consult a threat expert
             href: respond-machine-alerts.md#consult-a-threat-expert
           - name: Check activity details in Action center
diff --git a/defender-endpoint/respond-machine-alerts.md b/defender-endpoint/respond-machine-alerts.md
@@ -361,6 +361,7 @@ When an identity in your network might be compromised, you must prevent that ide
 
 ### Contain user important notes
 
+- When the contain user action is triggered by [predictive shielding](/defender-xdr/shield-predict-threats) (Preview), the contain user action applies restrictions more selectively, with a focus on users identified as high risk through prediction logic. The contain user action in predictive shielding prevents new sessions rather than terminating existing ones.
 - Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
 - **Important**: Once a **Contain user** action is enforced on a domain controller, it starts a GPO update on the Default Domain Controller policy. A change of a GPO starts a sync across the domain controllers in your environment.  This is expected behavior, and if you monitor your environment for AD GPO changes, you may be notified of such changes. Undoing the **Contain user** action reverts the GPO changes to their previous state, which will then start another AD GPO synchronization in your environment. Learn more about [merging of security policies on domain controllers](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj966251(v=ws.11)#merging-of-security-policies-on-domain-controllers).
 
@@ -400,6 +401,22 @@ In addition, you can expand the investigation by using advanced hunting. Look fo
 
 :::image type="content" source="/defender/media/defender-endpoint/user-contain-advanced-hunting.png" alt-text="Shows advanced hunting for user contain events" lightbox="/defender/media/defender-endpoint/user-contain-advanced-hunting.png":::
 
+## GPO hardening
+
+As part of the [predictive shielding](/defender-xdr/shield-predict-threats) (Preview) feature, Defender for Endpoint automatically applies the GPO hardening action. Group Policy Object (GPO) hardening temporarily stops new GPO policies from being applied to devices identified as high risk. This action helps prevent potential compromise by limiting changes to critical configurations.
+
+To enrich predictive shielding actions, we recommend you use the Microsoft Defender for Identity sensor in your environment. For more information, see [Enrich predictive shielding with Microsoft Defender for Identity](/defender-xdr/shield-predict-threats-manage#enrich-predictive-shielding-data).
+
+After the action is applied, you can view the action impact in the incident graph, track the actions in the Action center, and investigate further using advanced hunting. For more information, see [Manage predictive shielding actions](/defender-xdr/shield-predict-threats-manage).
+
+## Safeboot hardening
+
+As part of the [predictive shielding](/defender-xdr/shield-predict-threats) (Preview) feature, Defender for Endpoint automatically applies the Safeboot hardening action. Safeboot hardening helps protect devices from being compromised by enforcing stricter boot settings on devices that are predicted to be at high risk of compromise.
+
+To enrich predictive shielding actions, we recommend you use the Microsoft Defender for Identity sensor in your environment. For more information, see [Enrich predictive shielding with Microsoft Defender for Identity](/defender-xdr/shield-predict-threats-manage#enrich-predictive-shielding-data).
+
+After the action is applied, you can view the action impact in the incident graph, track the actions in the Action center, and investigate further using advanced hunting. For more information, see [Manage predictive shielding actions](/defender-xdr/shield-predict-threats-manage).
+
 ## Consult a threat expert
 
 You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender XDR for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
diff --git a/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md b/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
@@ -33,6 +33,7 @@ Learn more:
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
+|New predictive shielding response actions. |Preview |Defender for Endpoint now includes the [GPO hardening](respond-machine-alerts.md#gpo-hardening) and [Safeboot hardening](respond-machine-alerts.md#safeboot-hardening) response actions. These actions are part of the [predictive shielding](/defender-xdr/shield-predict-threats) feature, which anticipates and mitigates potential threats before they materialize.|
 |[Custom data collection](custom-data-collection.md) |Preview |Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. |
 
 ## October 2025
diff --git a/defender-for-identity/deploy/configure-windows-event-collection.md b/defender-for-identity/deploy/configure-windows-event-collection.md
@@ -20,7 +20,7 @@ To turn on automatic windows auditing:
 1. In the **General** section, select **Advanced features**.
 1. Turn on **Automatic Windows auditing configuration**.​
  
-If you do not select automatic Windows event auditing, you must manually configure Windows event collection on your domain controller.
+If you do not select automatic Windows auditing configuration, you must manually configure Windows event auditing in the Defender portal or using PowerShell.
 
 ## Configure Windows event auditing with the Defender for Identity sensor v2.x
 
diff --git a/defender-xdr/advanced-hunting-query-results.md b/defender-xdr/advanced-hunting-query-results.md
@@ -36,7 +36,7 @@ While you can construct your [advanced hunting](advanced-hunting-overview.md) qu
 - [Export tables and charts](#export-tables-and-charts)
 - [Drill down to detailed entity information](#drill-down-from-query-results)
 - [Tweak your queries directly from the results](#tweak-your-queries-from-the-results)
-- [View timeline of events](#automatic-timeline-rendering-preview)
+- [View timeline of events](#automatic-timeline-rendering)
 
 ## View query results as a table or chart
 
@@ -195,7 +195,7 @@ You can do the same for your saved functions, queries, and custom detections in
 > [!NOTE]
 > Some tables in this article might not be available at Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
 
-## Automatic timeline rendering (preview)
+## Automatic timeline rendering
 
 By default, a timeline appears above the advanced hunting results that displays event counts over time. The timeline is automatically rendered based on the `Timestamp` or `timeGenerated` column in the query results. It automatically updates when you apply filters and can help you quickly identify abnormal behavior and trends and focus on interesting results.
 
diff --git a/defender-xdr/security-copilot-agents-defender.md b/defender-xdr/security-copilot-agents-defender.md
@@ -62,7 +62,11 @@ To discover and deploy agents in the Microsoft Defender portal:
 
         You can manage centralized purchases for partner-published agents through public offers, or through private offers, as described in [How to Purchase SaaS Solutions (Private Offers)](/security/store/how-to-purchase-saas-solutions-private-offers).
 
-1. After purchasing the agent, select **Security Copilot > Security Store**, find your agent in the **Ready for setup** section, and then select **Set up** to begin agent setup.
+1. After purchasing the agent, select **Security Copilot > Agents**, find your agent in the **Ready for setup** section, and then select **Set up** to begin agent setup.
+
+    For more information on setting up, managing, and running partner-published agents, see [Manage Security Copilot agents](/copilot/security/agents-manage#set-up-for-partner-built-agents).
+
+    For more information on Microsoft Security Copilot agents, see [Microsoft Security Copilot agents in Microsoft Defender](#microsoft-security-copilot-agents-in-microsoft-defender).
 
     After setup, the agent appears in the **Agents in use** section.
 
diff --git a/defender-xdr/shield-predict-threats.md b/defender-xdr/shield-predict-threats.md
@@ -93,9 +93,9 @@ This dynamic understanding allows Defender XDR to move beyond reactive responses
 
 Predictive shielding uses Defender for Endpoint-based actions. To use these actions, you need a Defender for Endpoint license.
 
-- Safeboot hardening - hardens the device against booting into Safe Mode. Booting into Safe Mode is a common tactic used by attackers to bypass security controls and maintain persistence on compromised systems.
+- [Safeboot hardening](/defender-endpoint/respond-machine-alerts#safeboot-hardening) - hardens the device against booting into Safe Mode. Booting into Safe Mode is a common tactic used by attackers to bypass security controls and maintain persistence on compromised systems.
 
-- GPO hardening - hardens Group Policy Objects (GPOs) to prevent attackers from exploiting misconfigurations or weaknesses in GPO settings to escalate privileges or move laterally within the network.
+- [GPO hardening](/defender-endpoint/respond-machine-alerts#gpo-hardening) - hardens Group Policy Objects (GPOs) to prevent attackers from exploiting misconfigurations or weaknesses in GPO settings to escalate privileges or move laterally within the network.
 
 - [Proactive user containment (contain user)](/defender-endpoint/respond-machine-alerts#contain-user-from-the-network) - infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity. Proactively restricts the activity of the users associated with those credentials.
 
