Merge branch 'main' into WI419617-Document-details-for-finding-AD-service-accounts

Author: DeCohen

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
 > [!IMPORTANT]
-> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025.
+> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. This change will happen automatically by the specified dates. No admin action is required. 
 > 
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.

ATPDocs/whats-new.md

@@ -25,7 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 ## May 2025
 
 ### Local administrators collection (using SAM-R queries) feature will be disabled
-Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored.
+Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored. This change will happen automatically by the specified dates. No admin action is required. 
 
 ### New Health Issue
 

CloudAppSecurityDocs/activity-filters-queries.md

@@ -170,8 +170,21 @@ You can export all activities from the past six months by clicking the Export bu
 
 ![Click the export icon to export records.](media/activity-filters-queries/export-button-of-activity-logs.png)
 
-When exporting data:
+> [!NOTE]
+> **Required Permissions for Exporting Capabilities:** To utilize the exporting features, users must be assigned one of the following roles:
+> - **Built-in admin roles in Defender for Cloud Apps-** These roles must be granted via [Microsoft Defender for Cloud Apps Permissions and roles settings](/defender-cloud-apps/manage-admins):
+>   - Global Admin
+>   - Cloud Discovery Global Admin
+>   - Security Operator
+>   - Compliance Admin
+>   - Security Reader
+> - **Microsoft Entra ID Roles-** These roles must be assigned through [Microsoft Entra ID built-in roles](/entra/identity/role-based-access-control/permissions-reference):
+>   - Global Administrator
+>   - Security Administrator
+>   - Cloud App Security Administrator
+>   - Global Reader
 
+When exporting data:
 - You can choose a date range of up to six months.
 - You can choose to exclude private activities.  
 - The exported file is limited to 100,000 records and is delivered in CSV format.

CloudAppSecurityDocs/in-browser-protection.md

@@ -27,7 +27,7 @@ To use in-browser protection, users must also have the following environmental r
 |**Operating systems**|Windows 10 or 11, macOS|
 |**Identity platform**|Microsoft Entra ID|
 |**Microsoft Edge for Business versions**|The last two stable versions. For example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125. <br> For more information, see [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).|
-|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\sensitive files)</li><li>Block\Monitor file upload (all files\sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.|
+|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning are not supported for Edge in-browser protection|
 
 All other scenarios are served automatically with the standard reverse proxy technology, including user sessions from browsers that don't support in-browser protection, or for policies not supported by in-browser protection.
 
@@ -105,7 +105,7 @@ Administrators who understand the power of Microsoft Edge browser protection can
 
 4. When you're finished on the **Edge for Business protection** page, select **Save**.
 
-:::image type="content" source="media/in-browser-protection/edge-for-business-protection-settings.png" alt-text="Screenshot of Microsoft Edge for business protection settings." lightbox="media/in-browser-protection/edge-for-business-protection-settings.png":::
+   :::image type="content" source="media/in-browser-protection/edge-for-business-protection-settings.png" alt-text="Screenshot of Microsoft Edge for business protection settings." lightbox="media/in-browser-protection/edge-for-business-protection-settings.png":::
 
 ## Related content
 

CloudAppSecurityDocs/session-policy-aad.md

@@ -97,7 +97,6 @@ This procedure describes how to create a new session policy in Defender for Clou
 
     1. <a name="inspection"></a>In the **Apply to** area (Preview):
 
-        - Select whether to apply the policy to all files, or files in specified folders only
         - Select an inspection method to use, such as data classification services, or malware. For more information, see [Microsoft Data Classification Services integration](dcs-inspection.md).
         - Configure more detailed options for your policy, such as scenarios based on elements like fingerprints or trainable classifiers.
 

defender-endpoint/android-configure.md

@@ -109,7 +109,15 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 > [!NOTE]
 > - The other config keys of Network Protection will only work if the parent key '**Enable Network Protection in Microsoft Defender'** is enabled.
 > - To ensure comprehensive protection against Wi-Fi threats, users should enable location permission and select the "Allow All the Time" option. This permission is optional but highly recommended, even when the app is not actively in use. If location permission is denied, Defender for Endpoint will only offer limited protection against network threats and will only safeguard users from rogue certificates.
-**An open wi-fi network alert** is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert will be generated. However, connecting to a different open Wi-Fi network will result in an immediate alert.
+
+> [!IMPORTANT]
+> Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.</br></br>
+> Here are a key changes about this new experience:</br>
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
+> - WWhen an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to trusted networks, are sent to the device timeline as events.
+> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.</br>
+> - The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
 
 ## Privacy Controls
 

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 04/18/2025
+ms.date: 05/15/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -28,6 +28,17 @@ ms.date: 04/18/2025
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Alerts for activities related to open wireless connection and certificates are now detected as events
+
+May 2025
+
+Starting May 19, 2025, security operations center (SOC) analysts can now view the following as events instead of alerts:
+
+- Connecting or disconnecting to open wireless networks
+- Download/installation/removal of self-signed certificates
+
+These events can be viewed in the Timeline tab of a device page. For more information, see [Network protection](android-configure.md#network-protection).
+
 #### Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks
 
 April 2025

defender-endpoint/enable-network-protection.md

@@ -3,10 +3,10 @@ title: Turn on network protection
 description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 01/22/2025
+ms.date: 05/13/2025
 ms.topic: conceptual
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.reviewer: tdoucett
 manager: deniseb
 ms.subservice: asr
@@ -64,42 +64,11 @@ You can use Registry Editor to check the status of network protection.
 
 To enable network protection, you can use one of the following methods:
 
-- [PowerShell](#powershell)
-- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
 - [Microsoft Intune](#microsoft-intune)
+- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
 - [Group Policy](#group-policy)
 - [Microsoft Configuration Manager](#microsoft-configuration-manager)
-
-### PowerShell
-
-1. On your Windows device, select Start, type `powershell`, right-click **Windows PowerShell**, and then select **Run as administrator**.
-
-2. Run the following cmdlet:
-
-   ```PowerShell
-   Set-MpPreference -EnableNetworkProtection Enabled
-   ```
-
-3. For Windows Server, use the additional commands that listed in the following table:
-
-   | Windows Server version | Commands |
-   |---|---|
-   | Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` |
-   | Windows Server 2016 <br/>Windows Server 2012 R2 with the [unified agent for Microsoft Defender for Endpoint](/defender-endpoint/enable-network-protection) | `set-MpPreference -AllowNetworkProtectionDownLevel $true` <br/> `set-MpPreference -AllowNetworkProtectionOnWinServer $true` |
-
-4. (This step is optional.) To set network protection to audit mode, use the following cmdlet:
-
-   ```PowerShell
-   Set-MpPreference -EnableNetworkProtection AuditMode
-   ```
-
-   To turn off network protection, use the `Disabled` parameter instead of `AuditMode` or `Enabled`.
-
-### Mobile device management (MDM)
-
-1. Use the [EnableNetworkProtection](/windows/client-management/mdm/policy-csp-defender#enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-
-2. [Update Microsoft Defender antimalware platform to the latest version](https://support.microsoft.com/topic/update-for-microsoft-defender-antimalware-platform-92e21611-8cf1-8e0e-56d6-561a07d144cc) before you enable or disable network protection or enable audit mode.
+- [PowerShell](#powershell)
 
 ### Microsoft Intune
 
@@ -155,6 +124,12 @@ To enable network protection, you can use one of the following methods:
 
 8. Review all the information, and then select **Create**.
 
+### Mobile device management (MDM)
+
+1. Use the [EnableNetworkProtection](/windows/client-management/mdm/policy-csp-defender#enablenetworkprotection) configuration service provider (CSP) to turn network protection on or off, or to enable audit mode.
+
+2. [Update Microsoft Defender anti-malware platform to the latest version](https://support.microsoft.com/topic/update-for-microsoft-defender-antimalware-platform-92e21611-8cf1-8e0e-56d6-561a07d144cc) before you turn network protection on or off.
+
 ### Group Policy
 
 Use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
@@ -163,19 +138,19 @@ Use the following procedure to enable network protection on domain-joined comput
 
     *-Or-*
 
-    On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+    On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure and select **Edit**.
 
 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Microsoft Defender Exploit Guard** \> **Network protection**.
 
-   Note that on older versions of Windows, the Group Policy path might have *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
+   On older versions of Windows, the Group Policy path might have *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
 
 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
 
     - **Block** - Users can't access malicious IP addresses and domains.
     - **Disable (Default)** - The Network protection feature won't work. Users aren't blocked from accessing malicious domains.
-    - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
+    - **Audit Mode** - If a user visits a malicious IP address or domain, an event is recorded in the Windows event log. However, the user won't be blocked from visiting the address.
 
    > [!IMPORTANT]
    > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
@@ -203,11 +178,42 @@ Use the following procedure to enable network protection on domain-joined comput
 
 7. From the ribbon, select **Deploy** to deploy the policy to a collection.
 
+### PowerShell
+
+1. On your Windows device, click **Start**, type `powershell`, right-click **Windows PowerShell**, and then select **Run as administrator**.
+
+2. Run the following cmdlet:
+
+   ```PowerShell
+   Set-MpPreference -EnableNetworkProtection Enabled
+   ```
+
+3. For Windows Server, use the additional commands listed in the following table:
+
+   | Windows Server version | Commands |
+   |---|---|
+   |Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` |
+   |Windows Server 2016 <br/>Windows Server 2012 R2 with the [unified agent for Microsoft Defender for Endpoint](/defender-endpoint/enable-network-protection) | `set-MpPreference -AllowNetworkProtectionDownLevel $true` <br/> `set-MpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
+
+   > [!IMPORTANT]
+   > For Domain Controllers and Microsoft Exchange servers, set the `AllowDatagramProcessingOnWinServer` parameter to `$false`. These roles often generate high volumes of UDP traffic, which can affect network performance and reliability when datagram processing is enabled. Disabling this setting helps maintain network stability and optimize resource usage in demanding environments.
+   
+4. (This step is optional.) To set network protection to audit mode, use the following cmdlet:
+
+   ```PowerShell
+   Set-MpPreference -EnableNetworkProtection AuditMode
+   ```
+
+   To turn off network protection, use the `Disabled` parameter instead of `AuditMode` or `Enabled`.
+
 #### Important information about removing Exploit Guard settings from a device
 
-Once an Exploit Guard policy is deployed using Configuration Manager, Exploit Guard settings aren't removed from the clients if you remove the deployment. Furthermore, if you remove the client's Exploit Guard deployment, `Delete not supported` is recorded in the client's `ExploitGuardHandler.log` in Configuration Manager.  <!--CMADO8538577-->
+When you deploy an Exploit Guard policy using Configuration Manager, the settings remain on the client even if you later remove the deployment. If the deployment is removed, the client logs `Delete` not supported in the `ExploitGuardHandler.log` file.
+
+<!--CMADO8538577-->
 
-Use the following PowerShell script in the SYSTEM context to remove Exploit Guard settings correctly:<!--CMADO9907132-->
+Use the following PowerShell script in the `SYSTEM` context to remove Exploit Guard settings correctly:
+<!--CMADO9907132-->
 
 ```powershell
 $defenderObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -Class "MDM_Policy_Config01_Defender02" -Filter "InstanceID='Defender' and ParentID='./Vendor/MSFT/Policy/Config'"