Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into WI486581-mdi-detection-updates-reduce-alert-noise

Author: DeCohen

defender-endpoint/TOC.yml

@@ -267,20 +267,22 @@
               href: mde-linux-prerequisites.md
             - name: Choose a deployment method
               items:
-              - name: Installer script based deployment
-                href: linux-installer-script.md
               - name: Enabling deployment to a custom location
                 href: linux-custom-location-installation.md
+              - name: Installer script based deployment
+                href: linux-installer-script.md
               - name: Ansible based deployment
                 href: linux-install-with-ansible.md
               - name: Chef based deployment
                 href: linux-deploy-defender-for-endpoint-with-chef.md
               - name: Puppet based deployment
                 href: linux-install-with-puppet.md
-              - name: Saltstack-based deployment
+              - name: Saltstack based deployment
                 href: linux-install-with-saltack.md
               - name: Manual deployment
                 href: linux-install-manually.md
+              - name: Golden image based deployment
+                href: linux-deploy-defender-for-endpoint-using-golden-images.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
           - name: Configure Defender for Endpoint on Linux

defender-endpoint/android-whatsnew.md

@@ -3,7 +3,7 @@ title: What's new in Microsoft Defender for Endpoint on Android
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Android.
 ms.service: defender-endpoint
 ms.author: lwainstein
-author: lwainstein
+author: limwainstein
 ms.localizationpriority: medium
 manager: bagol
 ms.reviewer: denishdonga
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 05/15/2025
+ms.date: 09/05/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -30,6 +30,18 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 ### Releases for Defender for Endpoint on Android
 
+#### September 2025
+
+| Build|1.0.8102.0101|
+| -------- | -------- |
+| Release Date| September 4, 2025 |
+
+**What's New**
+
+- Resolved the sign-in loop issue for shared device mode. Now, if a user attempts to sign in on a shared device, which isn't supported by MDE Mobile, user will be redirected back to the sign-in page.
+
+- Other accessibility bug fixes and performance improvements.
+
 #### August 2025
 
 | Build|1.0.8018.0103|
@@ -68,7 +80,7 @@ April 2025
 **Setup a secure environment to test prerelease builds of Defender for Endpoint on Android**. Learn the steps on how to set up your environment for prerelease testing of Defender for Endpoint on Android. These steps are for Android devices that are onboarded to Microsoft Defender for Endpoint through the following methods:
 
 - Android Enterprise scenarios
-- Mobile Application Mangement (MAM) enrollment scenarios
+- Mobile Application Management (MAM) enrollment scenarios
 
 For more information, see [Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks](mobile-pretest-android.md).
 
@@ -260,9 +272,9 @@ Notify your users and help desk (as applicable) that end users must accept the n
 
 1. Tap on the Defender for Endpoint in-app notification or open the Defender for Endpoint app. Users see a screen that lists the permissions needed. A green check mark is missing next to **Storage permission**.
 
-2. Tap **Begin**.
+1. Tap **Begin**.
 
-3. Tap the toggle for **Allow access to manage all files**.
+1. Tap the toggle for **Allow access to manage all files**.
 
    The device is now protected.
 

defender-endpoint/ios-whatsnew.md

@@ -3,10 +3,10 @@ title: What's new in Microsoft Defender for Endpoint on iOS
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
 ms.service: defender-endpoint
 ms.author: lwainstein
-author: lwainstein
+author: limwainstein
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 08/12/2025
+ms.date: 09/05/2025
 manager: bagol
 audience: ITPro
 ms.collection: 
@@ -31,6 +31,16 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 ## Releases for Defender for Endpoint on iOS
 
+#### September 2025
+
+| Build| 1.1.68200103 |
+| -------- | -------- |
+| Release Date | September 4, 2025   |
+
+**What's New**
+
+- [Global Secure Access Internet Profile Support for iOS](/entra/global-secure-access/how-to-install-ios-client) (Preview) - Enables organizations to protect access to internet and SaaS apps with an identity-based Secure Web Gateway, blocking threats, unsafe content, and malicious traffic from the iPhone and iPads.
+
 #### August 2025
 
 | Build| 1.1.68140102|
@@ -39,6 +49,8 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 **What's New**
 
+- Fixed push notification bug to ensure heartbeat signals are sent reliably
+
 - Performance improvements and bug fixes
 
 ### July-2025 

defender-endpoint/linux-deploy-defender-for-endpoint-using-golden-images.md

@@ -0,0 +1,117 @@
+---
+title: Deploy Microsoft Defender for Endpoint on Linux using golden images
+description: Learn how to use preconfigured virtual machine templates (golden images) for rapid, consistent Microsoft Defender for Endpoint deployment on Linux.
+ms.service: defender-endpoint
+ms.author: painbar
+author: paulinbar
+ms.reviewer: meghapriya
+ms.localizationpriority: medium
+manager: bagol
+audience: ITPro
+ms.collection:
+- m365-security
+- tier3
+- mde-linux
+ms.topic: install-set-up-deploy
+ms.subservice: linux
+search.appverid: met150
+ms.date: 09/04/2025
+---
+
+# Deploy Microsoft Defender for Endpoint on Linux using golden images
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- Microsoft Defender for Endpoint for servers
+- Microsoft Defender for Servers Plan 1 or Plan 2
+
+Golden images are preconfigured virtual machine templates used to rapidly deploy consistent environments. Microsoft Defender for Endpoint on Linux supports golden image deployment across cloud and on-premises environments, with improved handling of machine identifiers and hostnames, ensuring reliable telemetry and device correlation.
+
+This guide walks you through:
+
+- Deploying Microsoft Defender for Endpoint on a golden image.
+
+- Preparing the image for cloning.
+
+- Ensuring unique identifiers for each virtual machine instance.
+
+- Specific steps for cloud and on-premises environments.
+
+## Step 1: Deploy Microsoft Defender for Endpoint on a golden image
+
+1. Prepare the base virtual machine
+
+   - Install your preferred [supported Linux distribution](./mde-linux-prerequisites.md#supported-linux-distributions) and apply all necessary system updates.
+
+1. Deploy Microsoft Defender for Endpoint on a golden image
+
+   There are several methods and tools that you can use to deploy Microsoft Defender for Endpoint on Linux (applicable to AMD64 and ARM64 Linux servers):
+
+   - [Installer script based deployment](./linux-installer-script.md)
+
+   - [Ansible based deployment](./linux-install-with-ansible.md)
+
+   - [Chef based deployment](./linux-deploy-defender-for-endpoint-with-chef.md)
+
+   - [Puppet based deployment](./linux-install-with-puppet.md)
+
+   - [SaltStack based deployment](./linux-install-with-saltack.md)
+
+   - [Manual deployment](./linux-install-manually.md)
+
+   - [Direct onboarding with Defender for Cloud](/azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint)
+
+   - [Guidance for Defender for Endpoint on Linux Server with SAP](./mde-linux-deployment-on-sap.md)
+
+1. Validate the deployment
+
+   Check the health status of the product by running the following command. A return value of `true` denotes that the product is functioning as expected:
+
+   ```bash
+   mdatp health
+   ```
+
+> [!NOTE]
+> Once Defender is successfully deployed on the golden image, there's no requirement to install and onboard it individually on each cloned machine.
+
+## Step 2: Prepare the golden image for cloning
+
+When deploying Defender for Endpoint on virtual machines, the hardware UUID reported by the system (system-uuid from dmidecode) is used to uniquely identify each instance.
+
+Before making a snapshot of the virtual machine, ensure that each virtual machine clone gets a unique hardware UUID, as described in the following sections.
+
+### On-premises machines
+
+For on-premises environments, configure your virtualization platform so that each clone receives a unique hardware UUID from the underlying hypervisor. Follow these guidelines:
+
+**KVM/libvirt**
+
+- Don't hard-code the `<uuid>` element in the virtual machine's domain XML; if it's omitted, libvirt generates a random one at definition time.
+
+- Alternatively, explicitly create a new UUID using `uuidgen`.
+
+- For streamlined cloning, use `virt-clone` or `virt-manager`, which automatically assign unique UUIDs.
+
+**VMware**
+
+- During cloning, VMware prompts whether to keep the existing UUID or to create a new one. Always select **Create**, or configure `uuid.action = "create"` in the virtual machine's *.vmx* file.
+
+- In VMware Cloud Director, set `backend.cloneBiosUuidOnVmCopy = 0` to force the creation of new UUIDs.
+
+**Hyper-V**
+
+Hyper-V automatically generates a new hardware UUID when you create a virtual machine using Hyper-V Manager or PowerShell ([New-VM](/powershell/module/hyper-v/new-vm)).
+
+### Cloud virtual machines
+
+Cloud platforms (for example, Azure, AWS, GCP) automatically inject unique metadata and identifiers via their instance metadata services (IMDS). No manual steps are required. Microsoft Defender for Endpoint automatically detects and uses these values to generate unique machine IDs.
+
+## Hostname Management
+
+If the hostname of a Linux server is changed after successful deployment of Defender, then you must restart the `mdatp` service to ensure the new hostname is correctly recognized by product.
+
+## Related content
+
+[!INCLUDE [Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/validate-antimalware.md

@@ -52,7 +52,9 @@ You can run an antivirus detection test to verify that the device is properly on
    1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`.
 
    2. Paste the string into a `.TXT` file and save it as `EICAR.txt`.
-            
+
+3. Open a Command Prompt and run: `type EICAR.txt`.
+
 ### Linux/macOS
 
 1. Ensure that real-time protection is enabled. Run the following command and confirm the output is `"true"`:
@@ -86,4 +88,4 @@ You can run an antivirus detection test to verify that the device is properly on
 - [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)  
 - [Microsoft Defender Antivirus in Windows Overview](microsoft-defender-antivirus-windows.md)  
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)  
-- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)
+- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)

defender-office-365/connection-filter-policies-configure.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to configure connection filtering in Microsoft 365 to allow or block emails from email servers.
 ms.service: defender-office-365
-ms.date: 07/03/2025
+ms.date: 09/05/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -193,6 +193,9 @@ For example, the source email server 192.168.1.25 sends email from the domains c
 
 ### Scenarios where messages from sources in the IP Allow List are still filtered
 
+> [!NOTE]  
+> These scenarios apply to all environments: standalone, hybrid, multi-geo, and cross-forest. Filtering behavior is based on security checks (for example, malware detection, phishing protection, or mail flow rules, not on the deployment model.
+
 Messages from an email server in your IP Allow List are still subject to spam filtering in the following scenarios:
 
 - An IP address in your IP Allow List is also configured in an on-premises, IP-based inbound connector in _any_ Microsoft 365 organization, **and** that Microsoft 365 organization and the first Microsoft 365 server that encounters the message both happen to be in _the same_ forest in the Microsoft datacenters. In this scenario, **IPV:CAL** _is_ added to the message's [anti-spam message headers](message-headers-eop-mdo.md) (indicating the message bypassed spam filtering), but the message is still subject to spam filtering.

defender-office-365/email-authentication-dkim-configure.md

@@ -110,7 +110,7 @@ Points to address or value: selector2-<CustomDomainWithDashes>._domainkey.<Initi
 - **\<CustomDomainWithDashes\>**: The custom domain or subdomain with periods replaced by dashes. For example, `contoso.com` becomes `contoso-com`, or `marketing.contoso.com` becomes `marketing-contoso-com`.
 - **\<InitialDomainPrefix\>**: The custom part of the \*.onmicrosoft.com you used to enroll in Microsoft 365. For example, if you used `contoso.onmicrosoft.com`, the value is `contoso`.
 - **\<DynamicPartitionCharacter\>**: A dynamically generated character that's used for both selectors (for example, r or n). The value is automatically assigned by Microsoft when you add a new custom domain and enable DKIM. The value is determined by Microsoft's internal routing logic and isn't configurable.
-  - This value is part of the updated DKIM record format for new custom domains in Microsoft 365 introduced in May 2025. Existing custom domains and initial domains continue to use the old DKIM format:
+  - **This value is part of the updated DKIM record format for new custom domains in Microsoft 365 introduced in May 2025**. Existing custom domains and initial domains continue to use the old DKIM format:
 
     ```text
     Hostname: selector1._domainkey
@@ -193,7 +193,7 @@ Proceed if the domain satisfies these requirements.
    |Microsoft.Exchange.ManagementTasks.ValidationException|CNAME record does not
    exist for this config. Please publish the following two CNAME records first. Domain Name
    : contoso.com Host Name : selector1._domainkey Points to address or value: selector1-
-   contoso-com._domainkey.contoso.n-v1.dkim.mail.microsoft.com Host Name : selector2._domainkey
+   contoso-com._domainkey.contoso.n-v1.dkim.mail.microsoft Host Name : selector2._domainkey
    Points to address or value: selector2-contoso-com._domainkey.contoso.n-v1.dkim.mail.microsoft .
    If you have already published the CNAME records, sync will take a few minutes to as
    many as 4 days based on your specific DNS. Return and retry this step later.

defender-office-365/submissions-admin.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom: seo-marvel-apr2020
 description: "Admins can learn how to use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages."
 ms.service: defender-office-365
-ms.date: 08/27/2025
+ms.date: 09/05/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -899,7 +899,7 @@ You can use the procedures in this section to dispute admin submitted items that
    - **Upload as screenshot**: Select this option to upload a JPG or PNG image less than one MB.
 
    > [!IMPORTANT]
-   > If you don't select **Reason**, the item isn't sent to Microsoft for reevaluation. Instead, an entry is created on the **Emails** or **URLs** tab without resubmitting the item. Values other than **Reason** are taken as feedback.
+   > If you don't select **Result**, the item isn't sent to Microsoft for reevaluation. Instead, an entry is created on the **Emails** or **URLs** tab without resubmitting the item. Values other than **Result** are taken as feedback.
 
    When you're finished on the **Dispute details** flyout, select **Submit dispute**.
 

defender-xdr/manage-rbac.md

@@ -54,7 +54,7 @@ Centralized permissions management is supported for the following services:
 |**Microsoft Defender XDR**|Centralized permissions management for Microsoft Defender XDR experiences.|
 |**Microsoft Defender for Endpoint**|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page. Limiting permissions to different device groups is accomplished in the Devices Groups page.|
 |**Microsoft Defender Vulnerability Management**|Centralized permissions management for all  Defender Vulnerability Management capabilities.|
-|**Microsoft Defender for Office 365**|Full support for all data and actions. </br></br> **Note**: <ul><li>Initially, the Microsoft Defender XDR RBAC model is available only for organizations with Microsoft Defender for Office 365 Plan 2 licenses (trial licenses aren't supported).</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>Exchange Online PowerShell and Security & Compliance PowerShell continue to use [Exchange Online roles](/exchange/permissions-exo/permissions-exo) and [Email & Collaboration roles](/defender-office-365/mdo-portal-permissions). Microsoft Defender XDR Unified RBAC doesn't affect Exchange Online PowerShell or Security & Compliance PowerShell.</li><li>Azure B2B invited guests aren't supported by all experiences that were previously under Exchange Online RBAC.</li></ul>|
+|**Microsoft Defender for Office 365**|Full support for all data and actions. </br></br> **Note**: <ul><li>Initially, the Microsoft Defender XDR RBAC model is available only for organizations with Microsoft Defender for Office 365 Plan 2 licenses (trial licenses aren't supported).</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>Exchange Online PowerShell and Security & Compliance PowerShell continue to use [Exchange Online roles](/exchange/permissions-exo/permissions-exo) and [Email & Collaboration roles](/defender-office-365/mdo-portal-permissions). Microsoft Defender XDR Unified RBAC doesn't affect Exchange Online PowerShell or Security & Compliance PowerShell.</li></ul>|
 |**Microsoft Defender for Identity**|Full support for all identity data and actions. All roles are compatible with [Microsoft Defender for Identity scoped access](/defender-for-identity/configure-scoped-access).</br></br> **Note:** Defender for Identity experiences also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|
 |**Microsoft Defender for Cloud**|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.|
 |**Microsoft Security Exposure Management**|Full support for all Exposure Management data and actions, including Microsoft Secure Score data.|