Merge pull request #5120 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit 89616cc0035c · 2025-09-25T08:36:34.000Z
[AutoPublish] main to live - 09/25 01:34 PDT | 09/25 14:04 IST
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
@@ -43,6 +43,24 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### September-2025 Build: 101.25082.0003 | Release version: 30.125082.0003.0
+
+|Build:             |**101.25082.0003**    |
+|-------------------|----------------------|
+|Released:          |**September 25, 2025**|
+|Published:         |**September 25, 2025**|
+|Expiry:            |**May 29, 2026**|
+|Release version:   |**30.125082.0003.0**|
+|Engine version:    |**1.1.25070.4000**|
+|Signature version: |**1.435.242.0**|
+
+What's new
+- Vulnerability detection for Langflow, an open-source Python framework for building AI workflows and agents, has been enhanced with dynamic detection using advanced telemetry and Python package scanning. This includes the detection of CVE-2025-3248 with a CVSS score of 9.8, ensuring comprehensive vulnerability coverage.
+
+- Client Analyzer is now bundled directly within the MDE package, eliminating the need for separate downloads. Both the binary and Python versions are included by default and can be found at /opt/microsoft/mdatp/tools/client_analyzer/. This ensures consistent availability across environments and streamlines troubleshooting for customers by making diagnostic tools readily accessible out-of-the-box.
+
+- Other quality and stability fixes.
+
 ### September-2025 Build: 101.25072.0003 | Release version: 30.125072.0003.0
 
 |Build:             |**101.25072.0003**    |
@@ -74,7 +92,6 @@ What's new
 - The `mdatp threat quarantine add` command now requires superuser (root) privileges.
 - Custom definition path can now be updated without stopping Defender for Endpoint. Previously, this required stopping the service, but with this release onwards, updates to the definition path can be made dynamically, improving operational efficiency and reducing downtime.
 - Running Defender for Endpoint on Linux alongside Fapolicyd is now supported on RHEL and Fedora-based distributions, enabling both antivirus (real-time protection) and EDR functionality to operate without conflict. For other fanotify-based tools, MDE can still be used safely by setting the antivirus enforcement level to passive, helping avoid system instability.
-- Both the binary and Python versions of Client Analyzer are now included in the local package. There is no longer a need to download it separately, as it comes bundled by default. You can find it at the location `/opt/microsoft/mdatp/conf/client_analyzer/`.
 - Other stability enhancements and bug fixes.
 
 ### July-2025 Build: 101.25052.0007 | Release version: 30.125052.0007.0
diff --git a/defender-endpoint/microsoft-defender-passive-mode.md b/defender-endpoint/microsoft-defender-passive-mode.md
@@ -26,8 +26,6 @@ Some of the key benefits of Defender Antivirus in passive mode are:
 
 * **EDR Block mode** - Post-breach protection by detecting and remediating threats missed by the active antimalware solution
 
-* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
-
 * **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats.
 
 * **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
diff --git a/defender-endpoint/respond-machine-alerts.md b/defender-endpoint/respond-machine-alerts.md
@@ -103,19 +103,19 @@ Or, use this alternate procedure:
 
    ![Image of collect investigation package](media/collect-investigation-package.png)
    
-2. Add comments and then select **Confirm**.
+1. Add comments and then select **Confirm**.
 
    ![Image of confirm comment](media/comments-confirm.png)
    
-3. Select **Action center** from the response actions section of the device page.
+1. Select **Action center** from the response actions section of the device page.
 
    ![Image of action center](media/action-center-selected.png)
    
-4. Select **Package collection package available** to download the collection package.
+1. Select **Package collection package available** to download the collection package.
 
    ![Image of download package](media/download-package.png)
-
-   > [!NOTE]
+   
+      > [!NOTE]
    > The collection of the investigation package may fail if a device has a low battery level or is on a metered connection.
    
 ### Investigation package contents for Windows devices
@@ -216,7 +216,8 @@ Depending on the severity of the attack and the sensitivity of the device, you m
 - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](mde-linux-prerequisites.md). Ensure that the following prerequisites are enabled:
    - `iptables`
    - `ip6tables`
-   - Linux kernel with `CONFIG_NETFILTER`, `CONFID_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER`
+   - Linux kernel with `CONFIG_NETFILTER`, `CONFIG_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER` for kernel version lower than 5.x and `CONFIG_NETFILTER_XT_MATCH_OWNER` from 5.x kernel.
+    
 - Selective isolation is available for devices running on Windows 11, Windows 10 version 1703 or later, Windows Server 2012 R2 and later, Azure Stack HCI OS, version 23H2 and later, and macOS. For more information about selective isolation, see [Isolation exclusions](./isolation-exclusions.md).
 - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
 - The feature supports VPN connection.
diff --git a/defender-vulnerability-management/fixed-reported-inaccuracies.md b/defender-vulnerability-management/fixed-reported-inaccuracies.md
@@ -39,6 +39,7 @@ The following tables present the relevant vulnerability information organized by
 |---|---|---|
 | - | Added MDVM support for Zoom vulnerability- CVE-2025-49457 | 03-September-25 |
 | - | Added MDVM support for 8 Tableau Server vulnerabilities- CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454 and CVE-2025-52455 | 09-September-25 |
+| - | Defender Vulnerability Management has completely rolled back support for Microsoft Visual C++ | 18-September-25 |
 
 ## August 2025
 
@@ -52,7 +53,6 @@ The following tables present the relevant vulnerability information organized by
 | 103856 | Fixed bad normalization in McAfee Network Security Manager | 05-August-25 |
 | 109441 | Fixed bad normalization in AlmaLinux Perl | 05-August-25 |
 | 97670 | Fixed inaccurate detections of VMware Tools by excluding invalid paths - "/vmware blast/", "/remote experience/" | 19-August-25 |
-| - | Added MDVM support for Microsoft Visual C++ vulnerabilities- CVE-2009-0901, CVE-2009-2493, CVE-2010-3190, CVE-2024-43590 | 20-August-25 |
 | 112007 | Fixed inaccuracy in Gimp vulnerability- CVE-2025-8672 | 21-August-25 |
 | 109858 | Fixed inaccuracy in Microsoft SQL Server Management Studio vulnerability- CVE-2025-29803 | 21-August-25 |
 | - | Updated CPE detection logic for Cisco Identity Services Engine | 26-August-25 |
