Merge branch 'main' into US562360_multicloud

Author: DebLanger

.openpublishing.redirection.defender-for-cloud.json

@@ -574,6 +574,11 @@
       "source_path_from_root": "/articles/defender-for-cloud/monitor-connected-aws-resources.md",
       "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-aws#validate-connector-health",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md",
+      "redirect_url": "/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management",
+      "redirect_document_id": false
     }
   ]
 }

articles/confidential-ledger/data-organization.md

@@ -103,6 +103,18 @@ for entry in list_result:
     print(f"Contents: {entry['contents']}")
 ```
 
+## Sample Scenarios
+
+The following scenarios can help you decide when to use collection IDs versus Tags.
+
+| Scenario | Recommended approach | Why |
+|--|--|--|
+| You write general records and mostly read by transaction ID or latest entry. | Use the default collection ID (`subledger-0`). | This approach keeps data organization simple and avoids managing many collection IDs. |
+| You need strict logical separation of data sets, such as tenant-specific or workload-specific isolation. | Use dedicated collection IDs for each logical group. | Group-level collection IDs make it easier to isolate and list records by boundary. |
+| You need query-oriented lookups at a finer granularity, including per-entry categorization. | Prefer tags within a shared collection before creating a unique collection ID per entry. | You can achieve similar query outcomes without creating and managing a unique collection ID for every entry. |
+
+If your main goal is query flexibility, start with tags and add more collection IDs only when clear isolation boundaries are required.
+
 
 ## Next steps
 

articles/confidential-ledger/overview.md

@@ -82,6 +82,21 @@ Confidential ledger nodes are deployed across Azure availability zones to provid
 
 Data is automatically replicated to Azure regional pairs for disaster recovery. For information about data residency considerations, see [Data residency for Azure confidential ledger](data-residency.md).
 
+### Limitations
+
+| Resource | Limit |
+|--|--|
+| Number of ledgers per subscription | 2 standard SKU ledgers |
+| Number of collection IDs per ledger | 50,000 |
+| Create entry | 1800 requests per second, 1800 transactions per second |
+| Get current entry | 3600 requests per second |
+| Get entry | 2500 requests per second |
+| Get receipt | 2400 requests per second |
+| List entries | 3300 requests per second |
+
+> [!NOTE]
+> To request higher limits or discuss limitations, reach out to the Azure Confidential Ledger team.
+
 ## Constraints
 
 - After a confidential ledger instance is created, you can't change the ledger type (private or public).

articles/dedicated-hsm/tutorial-deploy-hsm-cli.md

@@ -104,7 +104,7 @@ After you configure your network, use these Azure CLI commands to provision your
 1. To see a current HSM, run the [az dedicated-hsm show](/cli/azure/dedicated-hsm#az-dedicated-hsm-show) command:
 
    ```azurecli
-   az dedicated-hsm show --resource group myRG --name hsm1
+   az dedicated-hsm show --resource-group myRG --name hsm1
    ```
 
 1. Provision the second HSM by using this command:

articles/defender-for-cloud/defender-for-storage-configure-malware-scan.md

@@ -62,7 +62,7 @@ If you haven't enabled soft delete for blobs on the storage account, Defender fo
 
 - If you turn on Versioning for Blobs on your storage account, see [Manage and restore soft delete for blobs](/azure/storage/blobs/soft-delete-blob-manage) to learn how to restore a soft deleted blob.
 
-- For the *Soft Delete Malicious Blobs* feature to work on a Storage Account with Versioning turned on, you also need to enable the use of blob index tags for storing scan results. Ensure the parameter *Store scan results as blob index tags* is checked.
+- Blobs that are detected as malicious and soft deleted will always be marked with index tags. If you have selected to not store scan results in index tags, these tags will be removed upon restoring of the soft deleted blob.
 
 - The retention period defaults to seven days if you turn on the soft delete malicious blobs feature, but you can change it (range: 1–365 days). You can change the default retention period in your storage account settings.
 

articles/defender-for-cloud/defender-sensor-change-log.md

@@ -17,11 +17,25 @@ To see the version of the sensor run:
 
 `kubectl get -n kube-system daemonsets/microsoft-defender-collector-ds -o jsonpath='{.metadata.labels.app\.kubernetes\.io/version}'`
 
+
+## Defender for Containers – Sensor Support Policy
+
+The support policy here applies to all Helm-based and multicloud installations. For scenarios where the sensor is deployed as part of AKS, please refer to: [Supported Kubernetes versions in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn](/azure/aks/supported-kubernetes-versions?tabs=azure-cli)
+
+|Version|Preview Date|GA Date|End of support|
+| -------- | -------- | -------- | -------- |
+|0.8| |Feb 2025|Feb 2027|
+|0.9|July 2025|Apr 2026|Apr 2027|
+|0.10|Feb 2026|Apr 2026|Apr 2027|
+|0.11|Apr 2026|Jul  2026|Jul 2027|
+
+Each stable (GA) version is supported for 12 months from its GA release date. After the 12-month window ends, the version is no longer supported. Customers should upgrade to the latest stable or Public release to maintain support and access new capabilities.
+
 ## Sensor versions available per release
 
 ### Sensor v0.10 (deployed by Helm or Arc for K8s in Preview mode)
 
-**Sensor v0.10.28 — Preview**
+**Sensor v0.10.3 — Preview**
 
 - **Released:** March 2026
 
@@ -195,18 +209,7 @@ To see the version of the sensor run:
   - Better memory efficiency and reduced CPU consumption  
   - Bug fixes and security enhancements  
 
-## Defender for Containers – Sensor Support Policy
-
-The support policy here applies to all Helm-based and multicloud installations. For scenarios where the sensor is deployed as part of AKS, please refer to: [Supported Kubernetes versions in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn](/azure/aks/supported-kubernetes-versions?tabs=azure-cli)
-
-|Version|Preview Date|GA Date|End of support|
-| -------- | -------- | -------- | -------- |
-|0.8| |Feb 2025|Feb 2027|
-|0.9|July 2025|Apr 2026|Apr 2027|
-|0.10|Feb 2026|Apr 2026|Apr 2027|
-|0.11|Apr 2026|Jul  2026|Jul 2027|
 
-Each stable (GA) version is supported for 12 months from its GA release date. After the 12-month window ends, the version is no longer supported. Customers should upgrade to the latest stable or Public release to maintain support and access new capabilities.
 
 
 

articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md

@@ -4,7 +4,7 @@ description: Learn how to enable File Integrity Monitoring when you collect data
 author: Elazark
 ms.author: elkrieger
 ms.topic: how-to
-ms.date: 06/25/2025
+ms.date: 03/22/2026
 ms.custom: sfi-image-nochange
 #customer intent: As a security administrator, I want to enable File Integrity Monitoring so that I can detect unauthorized changes to critical files.
 ---
@@ -18,9 +18,9 @@ After you enable Defender for Servers Plan 2, follow the instructions in this ar
 > [!NOTE]
 >
 > - If you use a previous version of File Integrity Monitoring with the Log Analytics agent (Microsoft Monitoring agent (MMA)) or the Azure Monitor agent (AMA), you can [migrate to the new File Integrity Monitoring experience](migrate-file-integrity-monitoring.md).
-> - From June 2025 onwards, File Integrity Monitoring powered by Microsoft Defender for Endpoint requires a minimum version. [Update the agent](#verify-defender-for-endpoint-client-version) as needed.
->   - Windows: 10.8760 or later.
->   - Linux: 30.124082 or later.
+> - File Integrity Monitoring powered by Microsoft Defender for Endpoint requires a minimum agent version. [Update the agent](#verify-defender-for-endpoint-client-version) as needed.
+>   - **Windows (legacy machines/downlevel clients)**: Defender for Servers Windows client (MDE agent) version 10.8799 or later.
+>   - **Linux**: 30.124082 or later.
 
 ## Prerequisites