Merge branch 'main' into patch-2

Author: chrisda

.openpublishing.redirection.defender-endpoint.json

@@ -20,11 +20,6 @@
       "redirect_url": "/defender-endpoint/evaluate-mdav-using-gp",
       "redirect_document_id": false
     },
-    {
-      "source_path": "defender-endpoint/linux-install-with-activator.md",
-      "redirect_url": "/defender-endpoint/linux-custom-location-installation",
-      "redirect_document_id": false
-    },
     {
       "source_path": "defender-endpoint/preview.md",
       "redirect_url": "/defender-xdr/preview",
@@ -155,6 +150,11 @@
       "redirect_url": "/defender-endpoint/onboard-server",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-endpoint/linux-install-with-activator.md",
+      "redirect_url": "/defender-endpoint/linux-install-with-defender-deployment-tool",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-endpoint/mde-linux-arm.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",

defender-endpoint/TOC.yml

@@ -135,6 +135,8 @@
               href: streamlined-device-connectivity-urls-gov.md                       
         - name: Onboard client devices
           items:
+          - name: Onboard Windows devices using the Defender deployment tool
+            href: defender-deployment-tool-windows.md
           - name: Onboard client devices running Windows or macOS
             href: onboard-client.md
           - name: Defender for Endpoint plug-in for WSL
@@ -174,6 +176,7 @@
             href: mde-linux-deployment-on-sap.md
           - name: Use custom detection rules to protect SAPXPG
             href: mde-sap-custom-detection-rules.md
+
         - name: Defender for Endpoint on macOS
           items:
           - name: Deploy Defender for Endpoint on macOS
@@ -267,6 +270,8 @@
               items:
               - name: Enabling deployment to a custom location
                 href: linux-custom-location-installation.md
+              - name: Deployment tool based deployment
+                href: linux-install-with-defender-deployment-tool.md
               - name: Installer script based deployment
                 href: linux-installer-script.md
               - name: Ansible based deployment
@@ -625,6 +630,12 @@
         href: exclude-devices.md
       - name: Identifying transient devices
         href: transient-device-tagging.md
+      - name: Collect custom device data
+        items:
+        - name: Overview
+          href: custom-data-collection.md
+        - name: Create custom data collection rules
+          href: create-custom-data-collection-rules.md
       - name: Internet facing devices
         href: internet-facing-devices.md
       - name: Device timeline
@@ -1062,6 +1073,10 @@
             href: respond-machine-alerts.md#contain-devices-from-the-network
           - name: Contain user from the network
             href: respond-machine-alerts.md#contain-user-from-the-network
+          - name: Automatically apply GPO hardening (predictive shielding)
+            href: respond-machine-alerts.md#gpo-hardening
+          - name: Automatically apply Safeboot hardening (predictive shielding)
+            href: respond-machine-alerts.md#safeboot-hardening                     
           - name: Consult a threat expert
             href: respond-machine-alerts.md#consult-a-threat-expert
           - name: Check activity details in Action center
@@ -1098,10 +1113,7 @@
           href: live-response-command-examples.md
 
       - name: Use sensitivity labels to prioritize incident response
-        href: information-protection-investigation.md
-
-    - name: Advanced hunting
-      href: /defender-xdr/advanced-hunting-overview?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+        href: information-protection-investigation.md    
 
     - name: Threat analytics
       items:

defender-endpoint/android-whatsnew.md

@@ -35,9 +35,9 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 **What's New**
 
-- Performance improvement and accessibility bug fixes
+- Native Root Detection for Microsoft Defender is now in preview. See the [Blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/native-root-detection-support-for-microsoft-defender-on-android/4461576) for more details.
 
-#### November 2025
+- Performance improvement and bug fixes.
 
 | Build| 1.0.8303.0101|
 | -------- | -------- |
@@ -51,6 +51,8 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 - Additional telemetry features to improve app performance monitoring and detect specific scenarios, such as entering landscape mode or invalid authentication attempts.
 
+- Fixed the bug where feedback sending wasn’t disabled in Defender app despite 'Control Feedback Sending' key being disabled (set as 0) in Intune app configuration.
+
 #### October 2025
 
 | Build| 1.0.8217.0101 |
@@ -324,10 +326,11 @@ Notify your users and help desk (as applicable) that end users must accept the n
 1. Tap the toggle for **Allow access to manage all files**.
 
    The device is now protected.
-
+   
    > [!NOTE]
+   > 
    > This permission allows Microsoft Defender for Endpoint to access storage on user's device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint accesses/scans Android app package file (.apk) only. On devices with a Work Profile, Defender for Endpoint only scans work-related files.
-
+   
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
 
 ## See also

defender-endpoint/configure-endpoints-gp.md

@@ -2,8 +2,8 @@
 title: Onboard Windows Servers to Microsoft Defender for Endpoint via Group Policy
 description: Use Group Policy to deploy the configuration package on Windows devices so that they're onboarded to the service.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -12,7 +12,7 @@ ms.collection:
 - tier1
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 10/13/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 search.appverid: met150
 appliesto:
@@ -23,6 +23,8 @@ appliesto:
 
 # Onboard Windows devices using Group Policy 
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Prerequisites
 
 - To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.

defender-endpoint/configure-endpoints-mdm.md

@@ -2,8 +2,8 @@
 title: Onboard Windows devices to Defender for Endpoint using Intune 
 description: Use Microsoft Intune to deploy the configuration package on devices so that they're onboarded to the Defender for Endpoint service.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -14,14 +14,15 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 10/31/2024
+ms.date: 11/17/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # Onboard Windows devices to Defender for Endpoint using Intune 
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
 
 You can use mobile device management (MDM) solutions to configure Windows 10 devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices.
 

defender-endpoint/configure-endpoints-sccm.md

@@ -12,14 +12,13 @@ ms.collection:
 - tier1
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 10/27/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 search.appverid: met150
 ---
 
 # Onboard Windows devices using Configuration Manager
 
-
 You can use Configuration Manager to onboard endpoints to the Microsoft Defender for Endpoint service. 
 
 There are several options you can use to onboard devices using Configuration Manager:
@@ -32,6 +31,7 @@ There are several options you can use to onboard devices using Configuration Man
 
 You can create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager reattempts to onboard the device until the rule detects the status change. For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
 
 ## Prerequisites
 

defender-endpoint/configure-endpoints-script.md

@@ -3,8 +3,8 @@ title: Onboard Windows Servers using a local script
 description: Use a local script to deploy the configuration package on devices to enable onboarding of the devices to the service.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: pahuijbr
 ms.localizationpriority: medium
 manager: bagol
@@ -15,22 +15,23 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
-ms.date: 04/16/2025
+ms.date: 11/17/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # Onboard Windows devices using a local script
 
-
 You can also manually onboard individual devices to Defender for Endpoint. You might want to onboard some devices when you're testing the service before you commit to onboarding all devices in your network.
 
 > [!IMPORTANT]
 > The script described in this article is recommended for manually onboarding devices to Defender for Endpoint. It should only be used on a limited number of devices. If you're deploying to a production environment, see [other deployment options](onboard-client.md), such as Intune, Group Policy, or Configuration Manager.
 
 Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Onboard devices
 
 1. Open the configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):

defender-endpoint/configure-endpoints-vdi.md

@@ -3,8 +3,8 @@ title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
 description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they're onboarded to Microsoft Defender for Endpoint service.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.reviewer: pahuijbr; yonghree
 ms.localizationpriority: medium
 manager: bagol
@@ -14,18 +14,15 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: install-set-up-deploy
-ms.date: 03/11/2025
+ms.date: 11/17/2025
 ms.subservice: onboard
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
 
 ---
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
-
-
-
 
+# Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
 
 Virtual desktop infrastructure (VDI) is an IT infrastructure concept that lets end users access enterprise virtual desktops instances from almost any device (such as your personal computer, smartphone, or tablet), eliminating the need for organization to provide users with physical machines. Using VDI devices reduces costs, as IT departments are no longer responsible for managing, repairing, and replacing physical endpoints. Authorized users can access the same company servers, files, apps, and services from any approved device through a secure desktop client or browser. 
 
@@ -34,6 +31,8 @@ Like any other system in an IT environment, VDI devices should have an endpoint
 > [!NOTE]
 > **Persistent VDI's** - Onboarding a persistent VDI machine into Microsoft Defender for Endpoint is handled the same way you would onboard a physical machine, such as a desktop or laptop. Group policy, Microsoft Configuration Manager, and other methods can be used to onboard a persistent machine. In the Microsoft Defender portal, (https://security.microsoft.com) under onboarding, select your preferred onboarding method, and follow the instructions for that type. For more information, see [Onboarding Windows client](onboard-client.md).
 
+[!INCLUDE [Microsoft Defender deployment tool preview](./includes/defender-deployment-tool-preview.md)]
+
 ## Onboarding non-persistent virtual desktop infrastructure (VDI) devices
 
 Defender for Endpoint supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDI instances. The following are typical challenges for this scenario: