Merge branch 'main' into update-mda-ids

Author: DeCohen

ATADocs/suspicious-activity-guide.md

@@ -536,9 +536,9 @@ Apply the latest patches to all of your machines, and check all security updates
 
 1. [Remove WannaCry](https://support.microsoft.com/help/890830/remove-specific-prevalent-malware-with-windows-malicious-software-remo)
 
-1. Data in the control of some ransom software can sometimes be decrypted. Decryption is only possible if the user hasn't restarted or turned off the computer. For more information, see [Wanna Cry Ransomware](https://answers.microsoft.com/en-us/windows/forum/windows_10-security/wanna-cry-ransomware/5afdb045-8f36-4f55-a992-53398d21ed07?auth=1)
+1. Data in the control of some ransom software can sometimes be decrypted. Decryption is only possible if the user hasn't restarted or turned off the computer. For more information, see [WannaCrypt ransomware worm targets out-of-date systems](https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/)
 
->[!NOTE]
+> [!NOTE]
 > To disable a suspicious activity alert, contact support.
 
 ## See also

CloudAppSecurityDocs/caac-known-issues.md

@@ -19,6 +19,8 @@ In cases like these, be sure to cover files that are larger than 50 MB by using
 
 In Microsoft Defender XDR, select **Settings** > **Conditional Access App Control** > **Default behavior** to manage settings for files that are larger than 50 MB.
 
+With Edge in-browser protection, in case the end user session is protected AND the policy is set to 'Always apply the selected action even if data cannot be scanned', any file larger than 50MB is blocked.
+
 ## Maximum file size for session policies based on content inspection
 
 When you apply a session policy to block file uploads or downloads based on content inspection, the inspection is performed only on files that are smaller than 30 MB and that have fewer than 1 million characters.

defender-endpoint/data-storage-privacy.md

@@ -34,7 +34,7 @@ ms.date: 05/12/2025
 This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint.
 
 > [!NOTE]
-> This article explains the data storage and privacy details related to Defender for Endpoint and Defender for Business. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576), and also [Windows privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577).
+> This article explains the data storage and privacy details related to Defender for Endpoint and Defender for Business. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).
 
 ## What are we collecting?
 

defender-endpoint/gov.md

@@ -43,12 +43,26 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### July-2025 Build: 101.25052.0007 | Release version: 30.125052.0007.0
+
+|Build:             |**101.25052.0007**    |
+|-------------------|----------------------|
+|Released:          |**July 22, 2025**     |
+|Published:         |**July 22, 2025**     |
+|Release version:   |**30.125052.0007.0**  |
+|Engine version:    |**1.1.25020.4000**    |
+|Signature version: |**1.427.370.0**       |
+
+What's new
+- Fixed issue to generate unique Machine identifiers to ensure each onboarded device is uniquely identified.
+- Other stability improvements and bug fixes.
+
 ### June-2025 Build: 101.25042.0003 | Release version: 30.125042.0003.0
 
 |Build:             |**101.25042.0003**    |
 |-------------------|----------------------|
-|Released:          |**June 30, 2025**      |
-|Published:         |**June 30, 2025**      |
+|Released:          |**June 30, 2025**     |
+|Published:         |**June 30, 2025**     |
 |Release version:   |**30.125042.0003.0**  |
 |Engine version:    |**1.1.25020.4000**    |
 |Signature version: |**1.427.370.0**       |

defender-endpoint/linux-whatsnew.md

@@ -484,11 +484,9 @@ To download the onboarding package from the Microsoft Defender portal:
 
 1. On the **Deployment method** drop-down, select **Mobile Device Management / Microsoft Intune**.
 
-   ![macos-download-onboarding-package](media/mac-install-with-intune/macos-download-onboarding-package.png)
-   
-   
-   
-3. Select **Download onboarding package**. Save it as _GatewayWindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+   ![Screenshot of the Onboarding page with Deployment method Mobile Device Management / Microsoft Intune highlighted.](media/mac-install-with-intune/macos-download-onboarding-package.png)
+
+1. Select **Download onboarding package**. Save it as _GatewayWindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 
 1. Extract the contents of the .zip file:
 

defender-endpoint/mac-install-with-intune.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.topic: article
 search.appverid: met150
-ms.date: 01/23/2025
+ms.date: 07/20/2025
 ---
 
 # Device inventory
@@ -46,7 +46,7 @@ There are several options you can choose from to customize the devices list view
 During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
 
 > [!NOTE]
-> If you export the devices list, it contains every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file includes all devices in the organization, regardless of any filtering applied in the view itself.
+> If you export the devices list, it contains every device in your organization. It might take a significant amount of time to download, depending on how large your organization is.
 >
 > In addition, when you export the devices list, the antivirus status shows as `Not-Supported`. For antivirus status, use the recently released [Microsoft Defender Antivirus health report](device-health-microsoft-defender-antivirus-health.md) instead. This report allows you to export even more details.
 

defender-endpoint/machines-view-overview.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 06/23/2025
+ms.date: 07/23/2025
 audience: ITPro
 ms.topic: reference
 author: emmwalshh
@@ -99,6 +99,20 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### June-2025 (Platform: 4.18.25060.7 | Engine: 1.1.25060.6)
+ 
+- Security intelligence update version: **1.433.2.0**
+- Release date:  **July 22, 2025 (Engine)** / **July 22, 2025 (Platform)**
+- Platform: **4.18.25060.7**
+- Engine: **1.1.25060.6**
+- Support phase: **Security and Critical Updates**
+ 
+#### What's new
+
+- Added filtering to improve scan stability and prevent engine crashes
+- Additional performance improvements to prevent concurrent scans. This change ensures that if a quick or full scan is already running, no additional quick or full scan scans are initiated from `MpCmdRun` or Powershell (`Start-Scan`).
+- Resolved the issue where subfolder exclusions were not being honored in Microsoft Defender Antivirus scans related to non-Microsoft SIEM solutions. This fix ensures that specified subfolders are now correctly excluded from scans, preventing unnecessary detections and improving overall system performance.
+
 ### May-2025 (Platform: 4.18.25050.5 | Engine: 1.1.25050.6)
 
 - Security intelligence update version: **1.431.19.0**
@@ -141,25 +155,6 @@ Updates contain:
 - Improved performance for [Smart App Control](/windows/apps/develop/smart-app-control/overview) (SAC) trusted file handling.
 - Improved [device control](/defender-endpoint/device-control-overview) logic for offline printers.
 
-### March-2025 (Platform: 4.18.25030.2 | Engine 1.1.25030.1)
-
-- Security intelligence update version: **1.427.3.0**
-- Release date: **April 1, 2025** (Engine) / **April 9, 2025** (Platform)
-- Platform: **4.18.25030.2**
-- Engine: **1.1.25030.1**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Improved caching of [device control settings](device-control-policies.md) to improve reliability in occasionally connected environments. 
-- Performance improvement in on-access scans of files in network locations.
-- Fixed the Defender service description to match the latest installed version.
-- Improved Defender engine update logic when the update is included in a custom image.
-- Fix in health reporting where signature update data might have been incorrect.
-- Fixed reporting issue with [controlled folder access](controlled-folders.md) (CFA) protected folders using the PowerShell cmdlet [Get-MpPreference](/powershell/module/defender/get-mppreference) when CFA is disabled.
-- Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
-- Added support for distinguishing regular cloud allow signatures from clean [Indicators of Compromise](indicators-overview.md) (IoC) in [attack surface reduction](attack-surface-reduction.md) (ASR).
-
 ### Previous version updates: Technical upgrade support only
 
 After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 06/23/2025
+ms.date: 07/23/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,26 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### March-2025 (Platform: 4.18.25030.2 | Engine 1.1.25030.1)
+
+- Security intelligence update version: **1.427.3.0**
+- Release date: **April 1, 2025** (Engine) / **April 9, 2025** (Platform)
+- Platform: **4.18.25030.2**
+- Engine: **1.1.25030.1**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Improved caching of [device control settings](device-control-policies.md) to improve reliability in occasionally connected environments. 
+- Performance improvement in on-access scans of files in network locations.
+- Fixed the Defender service description to match the latest installed version.
+- Improved Defender engine update logic when the update is included in a custom image.
+- Fix in health reporting where signature update data might have been incorrect.
+- Fixed reporting issue with [controlled folder access](controlled-folders.md) (CFA) protected folders using the PowerShell cmdlet [Get-MpPreference](/powershell/module/defender/get-mppreference) when CFA is disabled.
+- Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
+- Added support for distinguishing regular cloud allow signatures from clean [Indicators of Compromise](indicators-overview.md) (IoC) in [attack surface reduction](attack-surface-reduction.md) (ASR).
+
+
 ### February-2025 (Platform 4.18.25020.1009 | Engine: 1.1.25020.1007)
 
 - Security intelligence update version: **1.425.1.0**

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -23,7 +23,7 @@ ms.topic: concept-article
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 02/10/2025
+ms.date: 07/22/2025
 ---
 
 # Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal
@@ -34,6 +34,9 @@ Querying from a single portal across different data sets makes hunting more effi
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
+> [!NOTE]
+> After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration KQL queries in the Defender portal. For more information, see [KQL queries in the Microsoft Sentinel data lake](/azure/sentinel/datalake/kql-queries).
+
 ## How to access
 
 ### Required roles and permissions