Merge branch 'main' into poliveria-entraid-10072025

Author: poliveria

defender-endpoint/android-configure.md

@@ -110,11 +110,12 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 > [!IMPORTANT]
 > Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.
 > Here are key changes about this new experience:
-> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on mid-May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.
-> - When an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.
-> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including trusted networks, are sent to the device timeline as events.
-> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.
-> - The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
+- For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on mid-May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.
+- When an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.
+- Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including trusted networks, are sent to the device timeline as events.
+- Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.
+- The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
+
 
 ## Privacy Controls
 
@@ -127,6 +128,20 @@ Following privacy controls are available for configuring the data that is sent b
 |Vulnerability assessment of apps |By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps|
 |Network Protection | Admins can enable or disable privacy in network protection. If enabled, then Defender won't send network details.|
 
+## Root Detection (Preview)
+
+Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are rooted. These root detection checks are done periodically. If a device is detected as rooted, these events occur:
+
+- A high-risk alert is reported to the Microsoft Defender portal. If device Compliance and Conditional Access are set up based on device risk score, then the device is blocked from accessing corporate data.
+
+- User data on app is cleared. When user opens the app after rooted.
+
+  The feature is enabled by default; no action is required from admin or user. Any android device running Defender version **1.0.8125.0302** (or later) will have it activated.
+  
+**Prerequisite**
+
+- Company portal must be installed, and version must be >=5.0.6621.0
+
 ### Configure privacy alert report
 
 Admins can now enable privacy control for the phishing report, malware report, and network report sent by Microsoft Defender for Endpoint on Android. This configuration ensures that the domain name, app details, and network details, respectively, aren't sent as part of the alert whenever a corresponding threat is detected.

defender-endpoint/android-whatsnew.md

@@ -29,6 +29,20 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 ### Releases for Defender for Endpoint on Android
 
+#### October 2025
+
+| Build| 1.0.8201.0101|
+| -------- | -------- |
+| Release Date | October 2, 2025 |
+
+**What's New**
+
+- Improved UX experience for the onboarding screens, for more details please visit this link - [UX Enhancement](/defender-endpoint/android-new-ux)
+
+- Global Secure Access Kerberos SSO support on Android (GA): Kerberos SSO experience for users on Android devices with Global Secure Access is now supported. User will need to install and configure a 3rd party SSO client.
+
+- Performance Improvement and bug fixes.
+
 #### September 2025
 
 | Build|1.0.8102.0101|

defender-endpoint/ios-whatsnew.md

@@ -30,6 +30,18 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 ## Releases for Defender for Endpoint on iOS
 
+#### October 2025
+
+| Build | 1.1.69250104|
+| -------- | -------- |
+| Release Date | October 7, 2025  |
+
+**What's New**
+
+- Global Secure Access Kerberos SSO support on iOS (Preview): Kerberos SSO experience for users on iOS devices with Global Secure Access is now supported.  On iOS, to create and deploy profile, refer - [Single sign-on app extension](/intune/intune-service/configuration/ios-device-features-settings).
+
+- Performance Improvement and Bug fixes.
+
 #### September 2025
 
 | Build| 1.1.68200103 |

defender-endpoint/linux-preferences.md

@@ -1,4 +1,4 @@
----
+---
 title: Configure security settings in Microsoft Defender for Endpoint on Linux
 ms.reviewer: gopkr, ardeshmukh
 description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
@@ -581,10 +581,8 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 
 ### Exclusion setting preferences
 
-**Exclusion setting preferences are currently in preview**.
-
 > [!NOTE] 
-> Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
+> Global exclusions are available in Defender for Endpoint beginning with version `101.24092.0001` or above.
 
 The `exclusionSettings` section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
 

defender-for-cloud-apps/governance-discovery.md

@@ -1,17 +1,24 @@
 ---
 title: Govern discovered apps 
 description: This article describes the procedure for governing your discovered apps by blocking their usage in your organization.
-ms.date: 01/29/2023
+ms.date: 09/30/2025
 ms.topic: how-to
 ms.reviewer: Mravela
 ---
 
 # Govern discovered apps
 
 
-
 After you review the list of discovered apps in your environment, you can secure your environment by approving safe apps (**Sanctioned**) or prohibiting unwanted apps (**Unsanctioned**) in the following ways.
 
+## Prerequisites
+
+Before you can block discovered cloud apps, you must meet the following requirements:
+
+- [Turn on **Cloud Protection** in Microsoft Defender for Endpoint](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus)
+- [Turn on **Network Protection** in Microsoft Defender for Endpoint.](/defender-endpoint/network-protection#required-browser-configuration)
+- Install the **Microsoft Defender Browser Protection** add-on across all non-Microsoft browsers in your organization.
+
 ## Sanctioning/unsanctioning an app
 
 You can mark a specific risky app as unsanctioned by clicking the three dots at the end of the row. Then select **Unsanctioned**. Unsanctioning an app doesn't block use, but enables you to more easily monitor its use with the cloud discovery filters. You can then notify users of the unsanctioned app and suggest an alternative safe app for their use, or [generate a block script using the Defender for Cloud Apps APIs](api-discovery-script.md) to block all unsanctioned apps.

defender-for-cloud-apps/troubleshooting-proxy-end-users.md

@@ -217,6 +217,14 @@ This message only appears for Chrome users, as Microsoft Edge users benefit from
 
 If you receive a message like this, contact Microsoft’s support to address it with the relevant browser vendor.
 
+## Users encounter Entra ID Login after clicking mcas.ms links
+Attackers can craft URLs that appear to lead to trusted domains but actually redirect users to malicious sites. For users protected by the session/suffix-based solution, an attacker might attempt to bypass controls by appending the mcas.ms suffix to a malicious URL, exploiting the assumption that such URLs are safe.
+
+To mitigate this, Microsoft Defender for Cloud Apps redirects any mcas.ms URL lacking valid session context to Entra ID for authentication, effectively blocking such exploits.
+
+However, legitimate mcas.ms URLs without context can exist, for example, if a user clicks on an old browser bookmark. In such cases, the user will first be redirected to Entra ID. If their identity provider (IdP) is not Entra ID, they will need to manually remove the mcas.ms suffix to proceed.
+
+
 ## More considerations for troubleshooting apps
 
 When troubleshooting apps, there are some more things to consider:

defender-for-identity/deploy/prerequisites-sensor-version-3.md

@@ -70,13 +70,13 @@ Applying the **Unified Sensor RPC Audit** tag enables a new, tested capability o
 **Steps to apply the configuration:**
 
 1. In the **Microsoft Defender portal**, navigate to: **System > Settings > Microsoft Defender XDR > Asset Rule Management**.
-1. Create a new rule.  
+1. Select **Create a new rule**
 
  ![Screenshot that shows how to add a new rule.](media/prerequisites-sensor-version-3/new-rule.png)
 
 3. In the side panel:
 
-   1. Select a **name** for the rule.
+   1. Enter a **Rule name** and **Description**.
 
    1. Set **rule conditions** using `Device name`, `Domain`, or `Device tag` to target the desired machines.
 
@@ -88,9 +88,15 @@ Applying the **Unified Sensor RPC Audit** tag enables a new, tested capability o
 
  ![Screenshot that shows the config tag.](media/prerequisites-sensor-version-3/tag.png)
 
-5. Click **Submit** to save the rule.
+5. Select **Next** to review and finish creating the rule and then select **Submit**.
 
-   Offboarding a device from this configuration can be done by **deleting the asset rule** or **modifying the rule conditions** so the device no longer matches.
+### Updating rules
+   Offboarding a device from this configuration can be done **only** from **deleting the asset rule** or **modifying the rule conditions** so the device no longer matches.
+
+>[!NOTE]
+> It may take up to 1 hour for changes to be reflected in the portal.
+
+Learn more about Asset Management Rule [here](/defender-xdr/configure-asset-rules)
 
 ## Configure Windows auditing
 

defender-for-identity/remove-rbcd-microsoft-entra-seamless-single-sign-on-account.md

@@ -6,7 +6,6 @@ ms.author: rlitinsky
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     08/22/2024
-ms.subservice: ''
 ms.reviewer: LiorShapiraa
 ---
 

defender-office-365/TOC.yml

@@ -40,7 +40,7 @@
        href: trial-user-guide-defender-for-office-365.md
 
    - name: Deploy
-     items: 
+     items:
      - name: Pilot and deploy Defender for Office 365
        href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-office-365/TOC.json&bc=/defender-office-365/breadcrumb/toc.json
      - name: Get started with Microsoft Defender for Office 365
@@ -120,6 +120,8 @@
          href: mdo-sec-ops-guide.md
        - name: SecOps guide for Teams protection in Defender for Office 365
          href: mdo-support-teams-sec-ops-guide.md
+       - name: SecOps guide for email authentication in Microsoft 365
+         href: email-auth-sec-ops-guide.md
        - name: Threat classification
          href: mdo-threat-classification.md
        - name: Security recommendations for priority accounts

defender-office-365/air-auto-remediation.md

@@ -48,7 +48,7 @@ After you select the cluster types to automatically remediate, the selected reme
 
 Use the following steps to select the cluster types to automatically remediate:
 
-In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **MDO automation settings**.
+In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **MDO automation settings**. Or, to go directly to the **Automation settings** page, use <https://security.microsoft.com/securitysettings/mdoAutomationSettings>.
 
 The following settings are available on the **Automation settings** page: