Merge branch 'WI538961-ai-model-security' of https://github.com/ElazarK/azure-security-docs-pr; branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into WI538961-ai-model-security

Author: ElazarK

articles/defender-for-cloud/file-integrity-monitoring-enable-defender-endpoint.md

@@ -4,7 +4,7 @@ description: Learn how to enable File Integrity Monitoring when you collect data
 author: Elazark
 ms.author: elkrieger
 ms.topic: how-to
-ms.date: 06/25/2025
+ms.date: 03/22/2026
 ms.custom: sfi-image-nochange
 #customer intent: As a security administrator, I want to enable File Integrity Monitoring so that I can detect unauthorized changes to critical files.
 ---
@@ -18,9 +18,9 @@ After you enable Defender for Servers Plan 2, follow the instructions in this ar
 > [!NOTE]
 >
 > - If you use a previous version of File Integrity Monitoring with the Log Analytics agent (Microsoft Monitoring agent (MMA)) or the Azure Monitor agent (AMA), you can [migrate to the new File Integrity Monitoring experience](migrate-file-integrity-monitoring.md).
-> - From June 2025 onwards, File Integrity Monitoring powered by Microsoft Defender for Endpoint requires a minimum version. [Update the agent](#verify-defender-for-endpoint-client-version) as needed.
->   - Windows: 10.8760 or later.
->   - Linux: 30.124082 or later.
+> - File Integrity Monitoring powered by Microsoft Defender for Endpoint requires a minimum agent version. [Update the agent](#verify-defender-for-endpoint-client-version) as needed.
+>   - **Windows (legacy machines/downlevel clients)**: Defender for Servers Windows client (MDE agent) version 10.8799 or later.
+>   - **Linux**: 30.124082 or later.
 
 ## Prerequisites
 

articles/defender-for-cloud/file-integrity-monitoring-overview.md

@@ -4,7 +4,7 @@ description: Learn about tracking file change with file integrity monitoring in
 author: Elazark
 ms.author: elkrieger
 ms.topic: concept-article
-ms.date: 08/12/2025
+ms.date: 03/22/2026
 ---
 
 # File integrity monitoring
@@ -34,9 +34,19 @@ File integrity monitoring uses the Microsoft Defender for Endpoint agent and age
 - Collected file integrity monitoring data is part of the [500-MB benefit included in Defender for Servers Plan 2](data-ingestion-benefit.md).
 - File integrity monitoring gives information about file and resource changes. It includes the source of the change, account details, indication of who made the changes, and information about the initiating process.
 
-### Migrate to the new version
+## Version requirements
 
-File integrity monitoring previously used the Log Analytics agent (also known as the Microsoft Monitoring agent (MMA)) or the Azure Monitor agent (AMA) to collect data. If you're using file integrity monitoring with one of these legacy methods, you can [migrate file integrity monitoring](migrate-file-integrity-monitoring.md) to use Defender for Endpoint.
+To ensure proper file integrity monitoring functionality, machines must run the **Defender for Servers Windows client (Microsoft Defender for Endpoint agent) version 10.8799 or above**. This requirement is especially important for:
+
+- Legacy Windows machines (downlevel clients)
+- Environments transitioning from MMA or AMA-based FIM
+
+> [!IMPORTANT]
+> Due to a pipeline change in Microsoft Defender for Endpoint, users with existing FIM deployments on legacy Windows machines must update their MDE agent to version 10.8799 or above to continue receiving file integrity monitoring data.
+
+### Migrate legacy AMA/MMA clients to MDE-based file integrity monitoring
+
+If you're currently using file integrity monitoring with legacy agent-based methods (Log Analytics agent/Microsoft Monitoring Agent (MMA) or Azure Monitor Agent (AMA)), you need to migrate to the MDE-based (Microsoft Defender for Endpoint) approach. This migration ensures continued functionality and access to enhanced capabilities. Learn how to [migrate file integrity monitoring](migrate-file-integrity-monitoring.md) from legacy AMA/MMA clients to the MDE-based solution.
 
 ## Configure file integrity monitoring
 

articles/defender-for-cloud/regional-availability.md

@@ -40,10 +40,10 @@ Austria East, Belgium Central, Chile Central, China East 2, China North, China N
 ### Defender for Storage (Malware Scanning)
 
 **Supported regions:**  
-Asia East, Asia Northeast, Australia Central 2, Australia East, Australia Southeast, Brazil South, Brazil Southeast, Canada Central, Canada East, Central US, East US, East US 2, East US 2 (EU Access Program), France Central, France South, Germany North, Germany West Central, India Central, India South, Israel Central*****, Italy North, Japan East, Japan West, Korea Central, Korea South, Mexico Central*****, New Zealand North, North Central US, North Europe, Norway East, Norway West, Poland Central*****, Spain Central*****, South Africa North, South Africa West, South Central US, South East US, Sweden Central, Sweden South******, Switzerland North, Switzerland West, UAE North, UK South, UK West, US Gov East, US Gov South Central, US Gov Southwest, West Central US, West Europe, West US, West US 2, West US 3
+Asia East, Asia Southeast, Asia Northeast, Australia Central 2, Australia East, Australia Southeast, Brazil South, Brazil Southeast, Canada Central, Canada East, Central US, East US, East US 2, East US 2 (EU Access Program), France Central, France South, Germany North, Germany West Central, India Central, India South, Israel Central*****, Italy North, Japan East, Japan West, Korea Central, Korea South, Mexico Central*****, New Zealand North, North Central US, North Europe, Norway East, Norway West, Poland Central*****, Spain Central*****, South Africa North, South Africa West, South Central US, South East US, Sweden Central, Sweden South******, Switzerland North, Switzerland West, UAE North, UK South, UK West, US Gov East, US Gov South Central, US Gov Southwest, West Central US, West Europe, West US, West US 2, West US 3
 
 **Unsupported regions:**  
-Asia Southeast, Austria East, Belgium Central, Central US (EU Access Program), Chile Central, China East, China East 2, China East 3, China North, China North 2, China North 3, EU SSLV, India West, Indonesia Central, Israel North West, Jio India Central, Jio India West, Malaysia South, Qatar, South East US 3, South US 2, Taiwan North, Taiwan North West, UAE Central, US DoD Central, US DoD East
+Austria East, Belgium Central, Central US (EU Access Program), Chile Central, China East, China East 2, China East 3, China North, China North 2, China North 3, EU SSLV, India West, Indonesia Central, Israel North West, Jio India Central, Jio India West, Malaysia South, Qatar, South East US 3, South US 2, Taiwan North, Taiwan North West, UAE Central, US DoD Central, US DoD East
 
 ****** Supported via API management only.
 

articles/defender-for-cloud/release-notes.md

@@ -51,13 +51,28 @@ Learn more about [AI model security](ai-model-security.md).
 
 | Date | Category | Update |
 | -------- | -------- | -------- |
+| March 22, 2026| Update | [File Integrity Monitoring requires MDE agent version 10.8799+ for legacy Windows machines](#file-integrity-monitoring-requires-mde-agent-version-108799-for-legacy-windows-machines) |
 | March 12, 2026 | GA | [Kubernetes gated deployment support for AKS Automatic (GA)](#kubernetes-gated-deployment-support-for-aks-automatic-ga) |
 | March 11, 2026 | GA| [Severity‑based risk assignment for "Not evaluated" recommendations](#severitybased-risk-assignment-for-not-evaluated-recommendations) |
 | March 10, 2026| Preview |[Code to runtime enrichment for recommendations](#code-to-runtime-enrichment-for-recommendations-preview)|
 | March 10, 2026 | Preview | [On-demand malware scanning of Azure Files in Microsoft Defender for Storage](#on-demand-malware-scanning-of-azure-files-in-microsoft-defender-for-storage-preview) |
 | March 04, 2026 | Deprecation | [Deprecation of preview of container and container images vulnerability recommendations](#deprecation-of-preview-of-container-and-container-images-vulnerability-recommendations) |
 | March 04, 2026 | Preview |[New individual recommendations format in Azure portal (Preview)](#new-individual-recommendations-format-in-azure-portal-preview)|
 
+### File Integrity Monitoring requires MDE agent version 10.8799+ for legacy Windows machines
+
+March 22, 2026
+
+Due to a pipeline change in Microsoft Defender for Endpoint (MDE), File Integrity Monitoring now requires the **Defender for Servers Windows client (Microsoft Defender for Endpoint agent) version 10.8799 or above** for proper functionality on legacy Windows machines (downlevel clients).
+
+**Key details:**
+
+- **Affected systems**: Legacy Windows machines (Windows Server 2016, Windows Server 2012 R2, and other downlevel clients)
+- **Required version**: Defender for Servers Windows client (MDE agent) 10.8799 or later
+- **Impact**: FIM monitoring will not function properly on versions below the minimum requirement
+
+Learn more about [File Integrity Monitoring](file-integrity-monitoring-overview.md) and how to [enable File Integrity Monitoring](file-integrity-monitoring-enable-defender-endpoint.md).
+
 ### Kubernetes gated deployment support for AKS Automatic (GA)
 
 March 12, 2026
@@ -206,7 +221,7 @@ Learn more about [reviewing security recommendations](review-security-recommenda
 
 | Date | Category | Update |
 | -------- | -------- | -------- |
-| February 22, 2026 | Preview | [Container runtime anti-malware detection and blocking (Preview)](#container-runtime-anti-malware-detection-and-blocking-preview) |
+| February 22, 2026 | Preview | [Container runtime anti-malware detection and blocking (Preview)](#container-runtime-anti-malware-detection-and-blocking-preview) 
 | February 22, 2026 | Update - Preview | [Binary drift now supports blocking (Preview)](#binary-drift-now-supports-blocking-preview) |
 | February 10, 2026| Preview | [Database-level recommendations experience for SQL Vulnerability Assessment findings (Preview)](#database-level-recommendations-experience-for-sql-vulnerability-assessment-preview) |
 | February 10, 2026| GA | [Scanning support for Minimus and Photon OS container images](#scanning-support-for-minimus-and-photon-os-container-images) |

articles/key-vault/includes/key-management-policy-grammar.md

@@ -257,7 +257,7 @@ The encoding is as follows:
 An Environment Assertion is a signed assertion, in JSON Web Token form, from a trusted authority. An Environment Asserting contains at least a key encryption key and one or more claims about the target environment (for example, TEE type, publisher, version) that are matched against the Key Release Policy. The key encryption key is a public RSA key owned and protected by the target execution environment that is used for key export. It must appear in the TEE keys claim (x-ms-runtime/keys). This claim is a JSON object representing a JSON Web Key Set. Within the JWKS, one of the keys must meet the requirements for use as an encryption key (key_use is "enc", or key_ops contains "encrypt"). The first suitable key is chosen.
 
 ## Key Vault and Managed HSM Attestation Token Requirements
-Azure Key Vault Premium and Managed HSM Secure Key Release were designed alongside [Microsoft Azure Attestation Service](../../attestation/overview.md) but may work with any attestation server’s tokens if it conforms to the expected token structure, supports OpenID connect, and has the expected claims. DigiCert is presently the only public CA that Azure Key Vault Premium and Managed HSM trust for attestation token signing certificates. 
+Azure Key Vault Premium and Managed HSM Secure Key Release were designed alongside [Microsoft Azure Attestation Service](/azure/attestation/overview) but may work with any attestation server's tokens if it conforms to the expected token structure, supports OpenID connect, and has the expected claims. DigiCert is presently the only public CA that Azure Key Vault Premium and Managed HSM trust for attestation token signing certificates.
 
 
 
@@ -279,4 +279,4 @@ The full set of requirements are:
 
   - Marked with **key_use** of encryption or a **key_ops** array containing the Encrypt operation. 
 
-For a sample token see [Examples of an Azure Attestation token](../../attestation/attestation-token-examples.md#sample-jwt-generated-for-sev-snp-attestation).
+For a sample token see [Examples of an Azure Attestation token](/azure/attestation/attestation-token-examples#sample-jwt-generated-for-sev-snp-attestation).

articles/key-vault/includes/managed-hsm/cleanup-warning.md

@@ -0,0 +1,12 @@
+---
+author: msmbaldwin
+ms.author: mbaldwin
+ms.service: azure-key-vault
+ms.subservice: managed-hsm
+ms.topic: include
+ms.date: 03/13/2026
+# Include: Managed HSM cleanup warning
+---
+
+> [!WARNING]
+> Deleting the resource group puts the Managed HSM into a soft-deleted state. The Managed HSM continues to be billed until it's purged. See [Managed HSM soft-delete and purge protection](/azure/key-vault/managed-hsm/recovery)

articles/key-vault/includes/managed-hsm/intro.md

@@ -0,0 +1,11 @@
+---
+author: msmbaldwin
+ms.author: mbaldwin
+ms.service: azure-key-vault
+ms.subservice: managed-hsm
+ms.topic: include
+ms.date: 03/13/2026
+# Include: Managed HSM intro description
+---
+
+Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using **FIPS 140-3 Level 3** validated HSMs. For more information on Managed HSM, review the [Overview](/azure/key-vault/managed-hsm/overview).

articles/key-vault/includes/managed-hsm/sdk-default-credential.md

@@ -0,0 +1,28 @@
+---
+author: msmbaldwin
+ms.author: mbaldwin
+ms.service: azure-key-vault
+ms.subservice: managed-hsm
+ms.topic: include
+ms.date: 03/13/2026
+# Include: DefaultAzureCredential explanation table
+---
+
+`DefaultAzureCredential` automatically selects the appropriate credential based on your environment:
+
+| Environment | Credential used |
+|-------------|-----------------|
+| Azure VMs, App Service, Functions | System-assigned or user-assigned managed identity |
+| Azure Kubernetes Service | Workload identity |
+| Local development | Azure CLI, Visual Studio, or VS Code credentials |
+| CI/CD pipelines | Workload identity federation or service principal |
+
+The credential checks these sources in order:
+1. Environment variables
+2. Workload identity
+3. Managed identity
+4. Azure CLI
+5. Azure PowerShell
+6. Visual Studio / VS Code credentials
+
+For production workloads in Azure, managed identities are strongly recommended because they eliminate credential management entirely.

articles/key-vault/includes/managed-hsm/sdk-prereqs.md

@@ -0,0 +1,15 @@
+---
+author: msmbaldwin
+ms.author: mbaldwin
+ms.service: azure-key-vault
+ms.subservice: managed-hsm
+ms.topic: include
+ms.date: 03/13/2026
+# Include: Managed HSM SDK prerequisites
+---
+
+- An Azure subscription. [Create one for free](https://azure.microsoft.com/free/).
+- A provisioned and activated Managed HSM. See [Quickstart: Provision and activate a managed HSM using Azure CLI](/azure/key-vault/managed-hsm/quick-create-cli).
+- A key created in your Managed HSM. See [Manage keys in a Managed HSM](/azure/key-vault/managed-hsm/key-management).
+- An Azure resource with a managed identity (such as a VM, App Service, or Azure Function) or Azure CLI for local development.
+- The managed identity must have the appropriate Managed HSM local RBAC role assigned. See [Secure access to your managed HSMs](/azure/key-vault/managed-hsm/how-to-secure-access).

articles/key-vault/includes/managed-hsm/sdk-role-assignment.md

@@ -0,0 +1,27 @@
+---
+author: msmbaldwin
+ms.author: mbaldwin
+ms.service: azure-key-vault
+ms.subservice: managed-hsm
+ms.topic: include
+ms.date: 03/13/2026
+# Include: Managed HSM role assignment CLI example
+---
+
+## Assign Managed HSM roles
+
+For your application to access keys, assign the appropriate Managed HSM local RBAC role to your managed identity:
+
+```azurecli
+# Get the principal ID of your managed identity
+principalId=$(az vm identity show --name myVM --resource-group myRG --query principalId -o tsv)
+
+# Assign the Crypto User role for key operations
+az keyvault role assignment create \
+    --hsm-name ContosoMHSM \
+    --role "Managed HSM Crypto User" \
+    --assignee $principalId \
+    --scope /keys
+```
+
+For more information on roles and permissions, see [Managed HSM local RBAC built-in roles](/azure/key-vault/managed-hsm/built-in-roles).