Merge branch 'main' into WI429399-update-cloud-app-catalog-screenshots

Author: DeCohen

defender-endpoint/android-configure.md

@@ -109,7 +109,15 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 > [!NOTE]
 > - The other config keys of Network Protection will only work if the parent key '**Enable Network Protection in Microsoft Defender'** is enabled.
 > - To ensure comprehensive protection against Wi-Fi threats, users should enable location permission and select the "Allow All the Time" option. This permission is optional but highly recommended, even when the app is not actively in use. If location permission is denied, Defender for Endpoint will only offer limited protection against network threats and will only safeguard users from rogue certificates.
-**An open wi-fi network alert** is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert will be generated. However, connecting to a different open Wi-Fi network will result in an immediate alert.
+
+> [!IMPORTANT]
+> Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.</br></br>
+> Here are a key changes about this new experience:</br>
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
+> - WWhen an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to trusted networks, are sent to the device timeline as events.
+> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.</br>
+> - The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
 
 ## Privacy Controls
 

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 04/18/2025
+ms.date: 05/15/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -28,6 +28,17 @@ ms.date: 04/18/2025
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Alerts for activities related to open wireless connection and certificates are now detected as events
+
+May 2025
+
+Starting May 19, 2025, security operations center (SOC) analysts can now view the following as events instead of alerts:
+
+- Connecting or disconnecting to open wireless networks
+- Download/installation/removal of self-signed certificates
+
+These events can be viewed in the Timeline tab of a device page. For more information, see [Network protection](android-configure.md#network-protection).
+
 #### Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks
 
 April 2025

defender-endpoint/ios-configure-features.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ios
 search.appverid: met150
-ms.date: 03/27/2025
+ms.date: 05/15/2025
 ---
 
 # Configure Microsoft Defender for Endpoint on iOS features
@@ -167,9 +167,13 @@ Use the following procedure to set up MAM config for unenrolled devices for netw
 
 6. Review and create the configuration policy.
 
-> [!NOTE]
-> **Open Wi-Fi Network Alert:**
-> An alert is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert is generated. However, connecting to a different open Wi-Fi network results in an immediate alert.
+> [!IMPORTANT]
+> Starting May 19, 2025, alerts in the Microsoft Defender portal are no longer generated when users connect to an open wireless network. Instead, this activity now generates events and are viewable in the device timeline. With this change, security operations center (SOC) analysts can now view connection/disconnection to open wireless networks as events. If auto-remediation key is enabled, old alerts are resolved automatically after the changes take effect.</br></br>
+> Here are key points about this change:</br>
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on iOS available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
+> - When an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to user trusted networks, are sent to the device timeline as events.</br>
+> - This change doesn't impact GCC customers. The previous experience of receiving alerts while connecting to open wireless networks still apply to them.
 
 ## Coexistence of multiple VPN profiles
 

defender-endpoint/ios-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 03/28/2025
+ms.date: 05/15/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -29,6 +29,14 @@ search.appverid: met150
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Alerts for activities related to open wireless connections are now detected as events
+
+**May 2025**
+
+Starting May 19, 2025, when a user connects to an open wireless network on a mobile device, an alert is no longer generated on the Microsoft Defender portal. Instead, this activity is added as an event and viewable under the device timeline.
+
+For more information, see [Configure network protection](ios-configure-features.md#configure-network-protection).
+
 #### Improving Usability: Key updates to the Microsoft Defender app interface on iOS
 
 **March 2025**

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 04/09/2025
+ms.date: 05/14/2025
 audience: ITPro
 ms.topic: reference
 author: emmwalshh
@@ -98,6 +98,25 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### April-2025 (Platform: TBD | Engine: 1.1.25040.1)
+
+- Security intelligence update version: **1.429.3.0**
+- Release date:  **May 14, 2025 (Engine)** / (Platform pending)
+- Platform: (*coming soon*)
+- Engine: **1.1.25040.1**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- Fixed TVM Block where we failed to block a trusted file
+- Fixed Microsoft Defender platform update timestamp to reflect the actual update time.
+- The [1002 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1002) (An anti-malware scan was stopped before it finished) now includes details of the stop reason.
+- Added more details to the [1000 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1000) (Scan started), like scan trigger and scan on idle.
+- Improved ASR file processing to correctly handle ["allow" Indicators of Compromise](/defender-endpoint/indicators-overview) (IoCs).
+- Improvement in health reporting for machines that are rebooted or hibernated.
+- Improved performance for [Smart App Control](/windows/apps/develop/smart-app-control/overview) (SAC) trusted file handling.
+- Improved [device control](/defender-endpoint/device-control-overview) logic for offline printers.
+
 ### March-2025 (Platform: 4.18.25030.2 | Engine 1.1.25030.1)
 
 - Security intelligence update version: **1.427.3.0**
@@ -186,7 +205,6 @@ To install the latest security intelligence and antivirus engine updates, you ca
 - Windows Update
 - Windows Update server (WSUS)
 - Software Update Point (SUP)
-
 - [File server](/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus)
 - Windows Security app: See [Microsoft Defender Antivirus in the Windows Security app](/defender-endpoint/microsoft-defender-security-center-antivirus)
 - Command line, as follows:   

defender-endpoint/run-analyzer-linux.md

@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: linux
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 04/01/2025
+ms.date: 05/14/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -45,7 +45,7 @@ If you have issues with Microsoft Defender for Endpoint on Linux and need suppor
 2. Verify the download.
 
     ```bash
-    echo 'B5EBD9AB36F2DB92C341ABEBB20A50551D08D769CB061EAFCC1A931EFACE305D XMDEClientAnalyzerBinary.zip' | sha256sum -c
+    echo '4D3073F252667AC87F1229163677CB6843E0454AC4F33A526D7F55DDAA5E09E3 XMDEClientAnalyzerBinary.zip' | sha256sum -c
     ```
 
 3. Extract the contents of `XMDEClientAnalyzerBinary.zip` on the machine.

defender-endpoint/run-analyzer-macos.md

@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: macos
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 04/11/2025
+ms.date: 05/14/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -37,13 +37,13 @@ If you're experiencing reliability or device health issues with Microsoft Defend
    If you're using a terminal, download the tool by running the following command:
 
    ```bash
-   wget --quiet -O XMDEClientAnalyzerBinary.zip https://go.microsoft.com/fwlink/?linkid=2297517
+   wget --quiet -O XMDEClientAnalyzerBinary.zip "https://go.microsoft.com/fwlink/?linkid=2297517"
    ```
 
 2. Verify the download.
 
    ```bash
-   echo 'B5EBD9AB36F2DB92C341ABEBB20A50551D08D769CB061EAFCC1A931EFACE305D  XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
+   echo '4D3073F252667AC87F1229163677CB6843E0454AC4F33A526D7F55DDAA5E09E3  XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
    ```
 
 3. Extract the contents of `XMDEClientAnalyzerBinary.zip` on the machine. 

defender-endpoint/troubleshoot-performance-issues.md

@@ -7,7 +7,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
-ms.date: 04/01/2025
+ms.date: 05/14/2025
 audience: ITPro
 ms.topic: troubleshooting
 ms.subservice: ngp
@@ -44,7 +44,7 @@ First, you might want to check if other software is causing the issue. Read [Che
 |2. **Using HTA's, CHM's and different files as databases**. <br/>Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur. | Consider switching to using actual databases if you need to save info and query it. <br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |3. **Using obfuscations on scripts**. <br/>If you obfuscate scripts, Microsoft Defender Antivirus in order to check if the script contains malicious payloads, it can use more CPU utilization while scanning. | Use script obfuscation only when necessary.<br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |4. **Not letting the Microsoft Defender Antivirus cache finish before sealing the image**.| If you're creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed. <br/> For more information, see [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). |
-|5. **Having the wrong path exclusion(s) due to misspelling**. <br/>If you add misspelled exclusion paths, it can lead to performance issues.| Use `MpCmdRun.exe -CheckExclusion -Path` to validate path-based exclusions. |
+|5. **Misspelled exclusions**. <br/>| Use `MpCmdRun.exe -CheckExclusion -Path` to validate path-based exclusions. |
 |6. **When a path exclusion is added, it works for scanning flows**. <br/>Behavior Monitoring (BM) and Network Real-time Inspection (NRI) can still cause performance issues. |As a workaround, take these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) [Add Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |7. **File hash computation**. <br/>If you enable file hash computation, which is used for [file indicators](indicator-file.md), there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features. <br/>**Note**: To enable Indicators - File hash functionality, this feature must be activated.|
 

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -7,7 +7,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
-ms.date: 04/17/2025
+ms.date: 05/14/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -46,6 +46,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
+## May 2025
+
+- (GA) New setting for **"Allow Network Protection On Win Server"** to be able to manage Network Protection for Windows Server 2019 and later in Microsoft Defender for Endpoint Security Settings Management and Microsoft Intune. See [Turn on network protection](/defender-endpoint/enable-network-protection).
+
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.

defender-office-365/anti-spam-protection-about.md

@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the anti-spam settings and filters that help prevent spam in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 12/08/2024
+ms.date: 05/14/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -145,7 +145,7 @@ These settings aren't configured in the default anti-spam policy by default, or
 
   ² For **High confidence phishing**, the **Move message to Junk Email folder** action is effectively deprecated. Although you might be able to select the **Move message to Junk Email folder** action, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).
 
-  ³ You can this use value as a condition in mail flow rules to filter or route the message.
+  ³ You can this use value as a condition in [Mail flow rules in Exchange Server](/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules) to filter or route messages for mailboxes in on-premises Exchange environments.
 
   ⁴ If the spam filtering verdict quarantines messages by default (**Quarantine message** is already selected when you get to the page), the default quarantine policy name is shown in the **Select quarantine policy** box. If you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).