Merge pull request #2521 from ElazarK/WI554034-D4S-deprecation

WI554034 D4S deprecation

Author: prmerger-automator[bot]

articles/defender-for-cloud/release-notes-recommendations-alerts.md

@@ -2,7 +2,7 @@
 title: New and upcoming changes in recommendations, alerts, and incidents
 description: Get release notes for new and upcoming changes in recommendations, alerts, and incidents in Microsoft Defender for Cloud. 
 ms.topic: overview
-ms.date: 12/11/2025
+ms.date: 02/17/2026
 #customer intent: As a Defender for Cloud admin, I want to stay up to date on the latest new and changed security recommendations and alerts.
 ---
 
@@ -48,6 +48,7 @@ New and updated recommendations, alerts, and incidents are added to the table in
 
 | **Date announced**     | **Type**       | **State**            | **Name**                                                     |
 | ------------ | -------------- | -------------------- | ------------------------------------------------------------ |
+| February 16 2026 | Recommendation | Upcoming deprecation <br> (March 19, 2026) | The preview recommendation `Machines should be configured securely (powered by MDVM)`, which applied to Window machines, is set for deprecation. The recommendation is set to be replaced by the following OS-specific recommendations, which include Linux support using Guest configuration: <br><br> - **Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)** <br><br> - **Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)**.<br><br> These replacement recommendations are already available in Defender for Cloud. <br><br> If you have any governance rules, reports, or workflows that reference the deprecated recommendation, update them to use the replacement recommendations. To ensure the new recommendations can assess your machines, verify that the required prerequisites are in place: <br><br> - **Azure machines** should have the [Azure Machine Configuration extension](/azure/virtual-machines/extensions/guest-configuration) installed. <br> - **Non-Azure machines** should be onboarded via [Azure Arc](/azure/azure-arc/servers/overview), which includes the Machine Configuration extension by default. |
 | February 10, 2026 | Recommendation | Preview | The following recommendations are released in Preview:<br>\* Execute permissions on xp_cmdshell from all users (except dbo) should be revoked for SQL Servers<br>\* Latest updates should be installed for SQL Servers<br>\* Database user GUEST should not be a member of any role in SQL databases<br>\* Ad hoc distributed queries should be disabled for SQL Servers<br>\* CLR should be disabled for SQL Servers<br>\* Untracked trusted assemblies should be removed for SQL Servers<br>\* Database ownership chaining should be disabled for all databases except for 'master', 'msdb' and 'tempdb' on SQL Servers<br>\* Principal GUEST should not have access to any user SQL database<br>\* Remote Admin Connections should be disabled unless specifically required for SQL databases<br>\* Default trace should be enabled for SQL Servers<br>\* CHECK_POLICY should be enabled for all SQL logins for SQL Servers<br>\* Password expiration check should be enabled for all SQL logins on SQL Servers<br>\* Database principals should not be mapped to the sa account in SQL databases<br>\* AUTO_CLOSE should be disabled for SQL databases<br>\* BUILTIN\Administrators should be removed as a server login for SQL Servers<br>\* Account with default name 'sa' should be renamed and disabled on SQL Servers<br>\* Excessive permissions should not be granted to PUBLIC role on objects or columns in SQL databases<br>\* 'sa' login should be disabled for SQL Servers<br>\* xp_cmdshell should be disabled for SQL Servers<br>\* Unused service broker endpoints should be removed for SQL Servers<br>\* Database Mail XPs should be disabled when it is not in use on SQL Servers<br>\* Server permissions shouldn't be granted directly to principals for SQL Servers<br>\* Database users shouldn't share the same name as a server login for Model SQL database<br>\* 'Scan for startup stored procedures' option should be disabled for SQL Servers<br>\* Authentication mode should be Windows Authentication for SQL Servers<br>\* Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins for SQL Servers<br>\* SQL Server instance shouldn't be advertised by the SQL Server Browser service for SQL Servers<br>\* Maximum number of error logs should be 12 or more for SQL Servers<br>\* Database permissions shouldn't be granted directly to principals for SQL Servers<br>\* Excessive permissions should not be granted to PUBLIC role in SQL databases<br>\* Principal GUEST should not be granted permissions in SQL databases<br>\* Principal GUEST should not be granted permissions on objects or columns in SQL databases<br>\* AES encryption should be required for any Existing Mirroring or SSB endpoint on SQL Databases<br>\* GUEST user should not be granted permissions on SQL database securables<br>\* The Trustworthy bit should be disabled on all databases except MSDB for SQL Databases<br>\* 'dbo' user should not be used for normal service operation in SQL databases<br>\* Only 'dbo' should have access to Model SQL database<br>\* Transparent data encryption should be enabled for SQL databases<br>\* Database communication using TDS should be protected through TLS for SQL Servers<br>\* Database Encryption Symmetric Keys should use AES algorithm in SQL databases<br>\* Cell-Level Encryption keys should use AES algorithm in SQL databases<br>\* Certificate keys should use at least 2048 bits for SQL Databases<br>\* Asymmetric keys' length should be at least 2048 bits in SQL databases<br>\* Filestream should be disabled for SQL Servers<br>\* Server configuration 'Replication XPs' should be disabled for SQL Servers<br>\* Orphaned users should be removed from SQL server databases<br>\* The database owner information in the database should match the respective database owner information in the master database for SQL databases<br>\* Application roles should not be used in SQL databases<br>* There should be no SPs marked as auto-start for SQL Servers<br>\* User-defined database roles should not be members of fixed roles in SQL databases<br>\* User CLR assemblies should not be defined in SQL databases<br>\* Database owners should be as expected for SQL databases<br>\* Auditing of both successful and failed login attempts should be enabled for SQL Servers<br>\* Auditing of both successful and failed login attempts for contained DB authentication should be enabled for SQL databases<br>\* Contained users should use Windows Authentication in SQL Server databases<br>\* Polybase network encryption should be enabled for SQL databases<br>\* Create a baseline of External Key Management Providers for SQL Servers<br>\* Force encryption should be enabled for TDS for SQL Servers<br>* Server Permissions granted to public should be minimized for SQL Servers<br>\* All memberships for user-defined roles should be intended in SQL databases<br>\* Orphan database roles should be removed from SQL databases<br>\* There should be at least 1 active audit in the system for SQL Servers<br>\* Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions in SQL databases<br>\* Minimal set of principals should be granted EXECUTE permission on objects or columns in SQL databases<br>\* SQL Threat Detection should be enabled at the SQL server level<br>\* Auditing should be enabled at the server level for SQL Servers<br>\* Database-level firewall rules should not grant excessive access for SQL Servers<br>\* Server-level firewall rules shouldn't grant excessive access for SQL Servers<br>\* Database-level firewall rules should be tracked and maintained at a strict minimum for SQL Servers<br>\* Server-level firewall rules should be tracked and maintained at a strict minimum on SQL Servers<br>\* Unnecessary execute permissions on extended stored procedures should be revoked for SQL Servers<br>\* Minimal set of principals should be members of fixed Azure SQL Database master database roles<br>\* Minimal set of principals should be members of fixed high impact database roles in SQL databases<br>\* Minimal set of principals should be members of fixed low impact database roles in SQL databases<br>\* Execute permissions to access the registry should be restricted for SQL Servers<br>\* Sample databases should be removed for SQL Servers<br>\* Data Transformation Services (DTS) permissions should only be granted to SSIS roles in MSDB SQL database<br>\* Minimal set of principals should be members of fixed server roles for SQL Servers<br>\* Features that may affect security should be disabled for SQL Servers<br>\* 'OLE Automation Procedures' feature should be disabled for SQL Servers<br>\* 'User Options' feature should be disabled for SQL Servers<br>\* Extensibility-features that may affect security should be disabled if not needed for SQL Servers<br>\* Vulnerability Assessment should be configured on SQL Server 2012 and higher only<br>\* Changes to signed modules should be authorized for SQL databases<br>\* Track all users with access to the database for SQL Databases<br>\* SQL logins with commonly used names should be disabled for SQL Servers<br>\* See the full [rules and recommendations mapping](sql-azure-vulnerability-assessment-rules.md) |
 | December 11, 2025  | Alert          | Deprecated | The following alerts are now deprecated. <br>\* AppServices_AnomalousPageAccess<br>\* AppServices_CurlToDisk<br>\* AppServices_WpThemeInjection<br>\* AppServices_SmartScreen<br>\* AppServices_ScanSensitivePage<br>\* AppServices_CommandlineSuspectDomain<br>\* AzureDNS_ThreatIntelSuspectDomain<br>\* AppServices_FilelessAttackBehaviorDetection<br>\* AppServices_FilelessAttackTechniqueDetection<br>\* AppServices_FilelessAttackToolkitDetection<br>\* AppServices_PhishingContent<br>\* AppServices_ProcessWithKnownSuspiciousExtension<br><br>These alerts are being retired as part of a quality improvement process and replaced by newer, more advanced alerts that provide greater accuracy and improved threat detection capabilities. This update ensures enhanced security coverage and reduced noise. |
 | December 3, 2025 | Recommendation | Upcoming deprecation (30 day notice) | The following recommendation is set for deprecation 30 days from now: `Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers` for Defender for SQL Servers on Machines plan. |